Atomic Red Team doc generator
273 lines
11 KiB
YAML
273 lines
11 KiB
YAML
attack_technique: T1083
|
||
display_name: File and Directory Discovery
|
||
atomic_tests:
|
||
- name: File and Directory Discovery (cmd.exe)
|
||
auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6
|
||
description: |
|
||
Find or discover files on the file system. Upon successful execution, this test will output the results of all the data discovery commands to a specified file.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
output_file:
|
||
description: File to output results to
|
||
type: string
|
||
default: '%temp%\T1083Test1.txt'
|
||
executor:
|
||
command: |
|
||
dir /s c:\ >> #{output_file}
|
||
dir /s "c:\Documents and Settings" >> #{output_file}
|
||
dir /s "c:\Program Files\" >> #{output_file}
|
||
dir "%systemdrive%\Users\*.*" >> #{output_file}
|
||
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
|
||
dir "%userprofile%\Desktop\*.*" >> #{output_file}
|
||
tree /F >> #{output_file}
|
||
cleanup_command: |
|
||
del #{output_file}
|
||
name: command_prompt
|
||
- name: File and Directory Discovery (PowerShell)
|
||
auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924
|
||
description: |
|
||
Find or discover files on the file system. Upon execution, file and folder information will be displayed.
|
||
supported_platforms:
|
||
- windows
|
||
executor:
|
||
command: |
|
||
ls -recurse
|
||
get-childitem -recurse
|
||
gci -recurse
|
||
name: powershell
|
||
- name: Nix File and Directory Discovery
|
||
auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de
|
||
description: |
|
||
Find or discover files on the file system
|
||
|
||
References:
|
||
|
||
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
|
||
|
||
https://perishablepress.com/list-files-folders-recursively-terminal/
|
||
supported_platforms:
|
||
- linux
|
||
- macos
|
||
input_arguments:
|
||
output_file:
|
||
description: Output file used to store the results.
|
||
type: path
|
||
default: /tmp/T1083.txt
|
||
executor:
|
||
command: |
|
||
ls -a >> #{output_file}
|
||
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
|
||
file */* *>> #{output_file}
|
||
cat #{output_file} 2>/dev/null
|
||
find . -type f
|
||
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
|
||
locate *
|
||
which sh
|
||
cleanup_command: |
|
||
rm #{output_file}
|
||
name: sh
|
||
- name: Nix File and Directory Discovery 2
|
||
auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e
|
||
description: |
|
||
Find or discover files on the file system
|
||
supported_platforms:
|
||
- linux
|
||
- macos
|
||
input_arguments:
|
||
output_file:
|
||
description: Output file used to store the results.
|
||
type: path
|
||
default: /tmp/T1083.txt
|
||
executor:
|
||
command: |
|
||
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
|
||
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
|
||
find . -type f -iname *.pdf >> #{output_file}
|
||
cat #{output_file}
|
||
find . -type f -name ".*"
|
||
cleanup_command: 'rm #{output_file}'
|
||
name: sh
|
||
- name: Simulating MAZE Directory Enumeration
|
||
auto_generated_guid: c6c34f61-1c3e-40fb-8a58-d017d88286d8
|
||
description: |
|
||
This test emulates MAZE ransomware's ability to enumerate directories using Powershell.
|
||
Upon successful execution, this test will output the directory enumeration results to a specified file, as well as display them in the active window.
|
||
See https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
File_to_output:
|
||
description: File to output results to
|
||
type: string
|
||
default: $env:temp\T1083Test5.txt
|
||
executor:
|
||
command: |
|
||
$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
|
||
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
|
||
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
|
||
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
|
||
$UsersFolder = "$env:homedrive\Users\"
|
||
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
|
||
{
|
||
foreach ($secondarydirectory in $folderarray)
|
||
{Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
|
||
}
|
||
cat #{File_to_output}
|
||
cleanup_command: |
|
||
remove-item #{File_to_output} -ErrorAction SilentlyContinue
|
||
name: powershell
|
||
- name: Launch DirLister Executable
|
||
auto_generated_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7
|
||
description: |-
|
||
Launches the DirLister executable for a short period of time and then exits.
|
||
|
||
Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
dirlister_path:
|
||
description: 'Path to the DirLister executable '
|
||
type: string
|
||
default: PathToAtomicsFolder\..\ExternalPayloads\DirLister.exe
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
DirLister.exe must exist in the specified path #{dirlister_path}
|
||
prereq_command: |
|
||
if (Test-Path "#{dirlister_path}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
$parentpath = Split-Path "#{dirlister_path}"
|
||
New-Item -ItemType Directory -Force -Path $parentpath | Out-Null
|
||
Invoke-WebRequest https://github.com/SanderSade/DirLister/releases/download/v2.beta4/DirLister.v2.beta4.zip -OutFile "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip"
|
||
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Force
|
||
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4\*" "$parentpath" -Recurse
|
||
Remove-Item "PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4.zip","PathToAtomicsFolder\..\ExternalPayloads\TDirLister.v2.beta4" -Recurse -ErrorAction Ignore
|
||
executor:
|
||
command: |
|
||
Start-Process "#{dirlister_path}"
|
||
Start-Sleep -Second 4
|
||
Stop-Process -Name "DirLister"
|
||
name: powershell
|
||
- name: ESXi - Enumerate VMDKs available on an ESXi Host
|
||
auto_generated_guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
|
||
description: |
|
||
An adversary uses the find command to enumerate vmdks on an ESXi host.
|
||
[Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
vm_host:
|
||
description: Specify the host name of the ESXi Server
|
||
type: string
|
||
default: atomic.local
|
||
vm_user:
|
||
description: Specify the privilege user account on ESXi Server
|
||
type: string
|
||
default: root
|
||
vm_pass:
|
||
description: Specify the privilege user password on ESXi Server
|
||
type: string
|
||
default: pass
|
||
plink_file:
|
||
description: Path to Plink
|
||
type: path
|
||
default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
|
||
cli_script:
|
||
description: Path to script with file discovery commands
|
||
type: path
|
||
default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt
|
||
dependency_executor_name: powershell
|
||
dependencies:
|
||
- description: |
|
||
Check if plink is available.
|
||
prereq_command: |
|
||
if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
|
||
get_prereq_command: |
|
||
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
|
||
Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
|
||
executor:
|
||
command: |
|
||
echo "" | "#{plink_file}" "#{vm_host}" -ssh -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
|
||
name: command_prompt
|
||
elevation_required: false
|
||
- name: Identifying Network Shares - Linux
|
||
auto_generated_guid: 361fe49d-0c19-46ec-a483-ccb92d38e88e
|
||
description: |
|
||
If the system uses network file systems (e.g., NFS, CIFS), findmnt can help locate paths to remote shares.
|
||
Attackers may then attempt to access these shares for lateral movement or data exfiltration.
|
||
supported_platforms:
|
||
- linux
|
||
executor:
|
||
command: |
|
||
findmnt -t nfs
|
||
name: sh
|
||
- name: Recursive Enumerate Files And Directories By Powershell
|
||
auto_generated_guid: 95a21323-770d-434c-80cd-6f6fbf7af432
|
||
description: |
|
||
Adversary attempting to discover and collect sensitive documents and archives
|
||
from a user’s system. The test recursively enumerates common user folders
|
||
(Documents, Downloads, Desktop, OneDrive) for file types of interest such as .pdf, .doc,
|
||
.docx, .xls, .xlsx, .txt, .zip, .rar, and .7z.
|
||
This behavior is similar to malware like LOSTKEYS used by COLDRIVER in January 2025,
|
||
where attackers perform targeted file discovery to support strategic intelligence collection https://www.zscaler.com/blogs/security-research/coldriver-updates-arsenal-baitswitch-and-simplefix.
|
||
supported_platforms:
|
||
- windows
|
||
input_arguments:
|
||
output_file:
|
||
description: File to output results.
|
||
type: string
|
||
default: '$env:TEMP\T1083-Enumerate-net.txt'
|
||
executor:
|
||
name: powershell
|
||
command: |
|
||
$out = "#{output_file}"
|
||
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
|
||
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
|
||
$userProfile = [Environment]::GetFolderPath('UserProfile')
|
||
$tr = [System.Collections.Generic.List[string]]::new()
|
||
|
||
function MatchesExtension($path) {
|
||
try {
|
||
$e = [System.IO.Path]::GetExtension($path).ToLower()
|
||
return $exts -contains $e
|
||
} catch { return $false }
|
||
}
|
||
|
||
function Scan-Dir($root) {
|
||
try {
|
||
$match = $false
|
||
foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
|
||
if (-not $match) { return }
|
||
|
||
[System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
|
||
if (MatchesExtension $_) {
|
||
$fi = [System.IO.FileInfo]::new($_)
|
||
$tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
|
||
}
|
||
}
|
||
|
||
[System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
|
||
Scan-Dir $_
|
||
}
|
||
} catch [System.UnauthorizedAccessException] {
|
||
$tr.Add("[AccessDenied] $root")
|
||
} catch {
|
||
$tr.Add("[Error] $root => $($_.Exception.Message)")
|
||
}
|
||
}
|
||
|
||
[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }
|
||
|
||
# Ensure output dir exists
|
||
$outDir = [System.IO.Path]::GetDirectoryName($out)
|
||
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
|
||
New-Item -Path $outDir -ItemType Directory -Force | Out-Null
|
||
}
|
||
|
||
# Write results
|
||
$tr | Out-File -FilePath $out -Encoding UTF8
|
||
Write-Output "Enumeration complete. Results written to: $out"
|
||
cleanup_command: |
|
||
Remove-Item -Path "#{output_file}" -ErrorAction SilentlyContinue
|