2018-05-08 15:15:27 -06:00
#
# This spec describes the format of Atomic Red Team atomic tests that are defined in YAML format.
#
# The directory structure is:
# - These tests reside in the `atomics` directory
2018-05-23 16:55:02 -06:00
# - One directory per ATT&CK technique, named "T1234"
# - All the atomic tests for a technique in a file called "T1234.yaml" inside that directory
2018-05-08 15:15:27 -06:00
# - Any payloads, supporting materials, etc for the atomic tests also live in that directory
#
# For example:
#
2018-05-21 20:43:28 +02:00
# atomic_red_team/
# atomic_red_team/atomics
2018-05-23 16:55:02 -06:00
# atomic_red_team/atomics/T1234
# atomic_red_team/atomics/T1234/T1234.yaml <-- this is where all the atomic tests live
2020-01-21 12:11:45 -06:00
# atomic_red_team/atomics/T1234/src/payload1.sct <-- a payload file needed by one of the T1234 atomics (human readable)
# atomic_red_team/atomics/T1234/bin/payload2.dll <-- another payload file needed by one of the T1234 atomics (binary)
2018-05-08 15:15:27 -06:00
#
# In general, a set of atomic tests for a technique should never depend on payloads
# or supporting files from other atomic directories. We want to keep things nice and close.
# Use git symlinks if you really need to share files between techniques.
#
2020-07-20 12:44:23 -05:00
# Atomic tests should be fully automated whenever possible, requiring no continued interaction.
# Include any needed options to execute the commands seamlessly, for example SysInternal's -accepteula option or any -q or -quiet modes.
#
2018-05-21 20:43:28 +02:00
# To validate your atomics, run `bin/validate_atomics.rb`
2018-05-08 14:58:11 -06:00
---
2018-05-10 12:20:35 -06:00
attack_technique: TXXXX # (with a capital T, Example : 'T1123' )
display_name: Name of the technique as defined by ATT&CK. # Example : 'Audio Capture'
2018-05-08 14:58:11 -06:00
# `atomic_tests` is an array of distinct test cases inside this technique. A test case should
# include ALL of the information needed to run that test (ie, this is the "atomic" - you don't
# distribute steps across different atomics)
# Each of these tests is a YAML array element (starts with a `-`).
atomic_tests :
#
# This is the first atomic test
#
2018-05-10 12:20:35 -06:00
- name: Short name of the test that titles how it tests the technique. # Example : "SourceRecorder via cmd.exe"
2020-05-07 22:42:41 -06:00
auto_generated_guid : # This key and/or it's value will be added by the CI build after submitting a Pull Request
2018-05-08 14:58:11 -06:00
description : |
Long form description of the test. Markdown is supported so you can **bold** items, create
- one list
- two list
- red list
- [blue list](https://google.com)
# supported platforms is an array of the OS/platforms this atomic test can be run upon. Values include:
# - windows
# - macos
# - linux
2021-06-03 13:51:20 -07:00
# - office-365
# - azure-ad
# - google-workspace
# - saas
# - iaas
# - containers
# - iaas:gcp
# - iaas:azure
# - iaas:aws
2018-05-08 14:58:11 -06:00
supported_platforms :
- windows
# inputs to the atomic test that are required to run the test (think of these like function arguments).
# This is a hash where the key is the input name, value is a hash defining the input argument.
input_arguments :
# this is the first input argument, called "output_file"
output_file :
# Short description of the input argument
description : xxxxx
# data type of the input. Possible values could include:
# - Path (a file path)
# - Url (a URL)
# - String
# - Integer
# - Float
# - really anything else you'd like, but add it to this list
type : Path
# default value for this argument that will be used if one is not specifid
default : test.wma
# this is a example of a second argument
malware_payload_url :
description : xxxxx
type : Url
default : 0000 : 00 : 30
2020-01-21 12:11:45 -06:00
dependency_executor_name : powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands
dependencies : # (optional)
# a list of dependies that must be met to successfully run this atomic
- description : |
TODO
prereq_command : | # commands to check if prerequisites for running this test are met. For the "command_prompt" executor, if any command returns a non-zero exit code, the pre-requisites are not met. For the "powershell" executor, all commands are run as a script block and the script block must return 0 for success.
TODO
get_prereq_command : | # commands to meet this prerequisite or a message describing how to meet this prereq
TODO
#example of two dependencies
dependencies :
- description : |
Sysmon executable must be available
prereq_command : |
where sysmon > nul
get_prereq_command : |
echo Automated installer not implemented yet, please install Sysmon manually
- description : |
Sysmon must be installed
prereq_command : |
sc query sysmon > nul
get_prereq_command : |
sysmon -i -accepteula
# a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these
2018-05-08 14:58:11 -06:00
# per test, but there are cases where you may have multiple - for example, separate executors for `sh`
# and `bash` when working on linux OSes.
2021-06-04 14:30:15 -07:00
# Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`.
2021-11-23 12:38:03 -05:00
executor :
2018-05-08 14:58:11 -06:00
# the name of the executor describes the framework or application in which the test should be executed.
#
# Each of these executors will have options that the executor needs to run. Possible executors we've imagined
# at this time and their required options include:
#
2022-04-04 12:36:12 -06:00
# - command_prompt, sh, bash, powershell, manual, aws, az, gcloud, kubectl
2022-03-24 15:47:32 -06:00
#
# Each of the above requires the "command" option that is a multi-line script that will be preprocessed and
# then executed by cmd.exe, powershell.exe, sh or bash respectively
2018-05-08 14:58:11 -06:00
#
# Example:
2022-03-24 15:47:32 -06:00
# name: command_prompt
2018-05-08 14:58:11 -06:00
# command: |
# echo "attack starting"
# echo "running command 1: this is the value of the FOOBAR input_argument: #{FOOBAR}"
#
2019-12-23 09:30:09 -06:00
# - `manual` : a list of manual steps to run. This should only be used when required, for example when GUI steps are involved that
2018-05-08 14:58:11 -06:00
# cannot be automated.
#
# Requires the `steps` option that tells the user what to do to invoke the test. This is a
# multi-line list of instructions (also preprocessed)
#
# Example:
2022-03-24 15:47:32 -06:00
# name: manual
2018-05-08 14:58:11 -06:00
# steps: |
# 1. Navigate to [chrome://extensions](chrome://extensions) and
# tick 'Developer Mode'.
#
# 2. Click 'Load unpacked extension...' and navigate to
2018-05-23 16:55:02 -06:00
# [Browser_Extension](../T1176/)
2018-05-08 14:58:11 -06:00
#
# 3. Click the '#{FOOBAR}' button - you can interpolate here too!
#
2022-03-24 15:47:32 -06:00
name : command_prompt
2019-09-13 15:46:09 -06:00
elevation_required : true
# indicates whether command must be run with admin privileges.
#If the elevation_required attribute is not defined, the value is assumed to be false
2018-05-08 14:58:11 -06:00
command : |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
2019-09-13 15:46:09 -06:00
cleanup_command : | # you can remove the cleanup_command section if there are no cleanup commands
2018-05-08 14:58:11 -06:00
#
# This is the second atomic test
#
- name : Echo to the screen
2019-09-13 15:46:09 -06:00
2018-05-08 14:58:11 -06:00
description : |
blah blah blah
supported_platforms :
- macos
2020-01-21 12:11:45 -06:00
- linux
2018-05-08 14:58:11 -06:00
# in this example we have no input arguments
input_arguments :
2021-11-23 12:38:03 -05:00
executor :
2022-03-24 15:47:32 -06:00
name : bash
2018-05-08 14:58:11 -06:00
command : echo "Hello world!"
