security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2022-02-22 15:39:03 +00:00
parent 319908bbc5
commit 021fe46502
8 changed files with 78 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1024,6 +1024,7 @@ command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
command-and-control,T1090.003,Multi-hop Proxy,1,Psiphon,14d55ca0-920e-4b44-8425-37eedd72b173,powershell
command-and-control,T1090.003,Multi-hop Proxy,2,Tor Proxy Usage - Windows,7b9d85e5-c4ce-4434-8060-d3de83595e69,powershell
command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell
command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell
command-and-control,T1095,Non-Application Layer Protocol,3,Powercat C2,3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1024 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
1025 command-and-control T1090.003 Multi-hop Proxy 1 Psiphon 14d55ca0-920e-4b44-8425-37eedd72b173 powershell
1026 command-and-control T1090.003 Multi-hop Proxy 2 Tor Proxy Usage - Windows 7b9d85e5-c4ce-4434-8060-d3de83595e69 powershell
1027 command-and-control T1090.003 Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
1028 command-and-control T1095 Non-Application Layer Protocol 1 ICMP C2 0268e63c-e244-42db-bef7-72a9e59fc1fc powershell
1029 command-and-control T1095 Non-Application Layer Protocol 2 Netcat C2 bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 powershell
1030 command-and-control T1095 Non-Application Layer Protocol 3 Powercat C2 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e powershell
atomics/Indexes/Indexes-CSV/linux-index.csv
+1
View File
@@ -246,6 +246,7 @@ command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f
command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash
command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.003,Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
246 command-and-control T1105 Ingress Tool Transfer 6 sftp remote file copy (pull) 0139dba1-f391-405e-a4f5-f3989f2c88ef bash
247 command-and-control T1105 Ingress Tool Transfer 14 whois file download c99a829f-0bb8-4187-b2c6-d47d1df74cab sh
248 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
249 command-and-control T1090.003 Multi-hop Proxy 3 Tor Proxy Usage - Debian/Ubuntu 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7 sh
250 command-and-control T1571 Non-Standard Port 2 Testing usage of uncommonly used port 5db21e1d-dd9c-4a50-b885-b1e748912767 sh
251 command-and-control T1132.001 Standard Encoding 1 Base64 Encoded data. 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 sh
252 command-and-control T1071.001 Web Protocols 3 Malicious User Agents - Nix 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 sh
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1728,6 +1728,7 @@
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #1: Psiphon [windows]
- Atomic Test #2: Tor Proxy Usage - Windows [windows]
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1095 Non-Application Layer Protocol](../../T1095/T1095.md)
- Atomic Test #1: ICMP C2 [windows]
atomics/Indexes/Indexes-Markdown/linux-index.md
+2 -1
View File
@@ -679,7 +679,8 @@
- T1001.001 Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1071.003 Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1104 Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1090.003 Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.003 Multi-hop Proxy](../../T1090.003/T1090.003.md)
- Atomic Test #3: Tor Proxy Usage - Debian/Ubuntu [linux]
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1095 Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1132.002 Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Matrices/linux-matrix.md
+1 -1
View File
@@ -24,7 +24,7 @@
| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pluggable Authentication Modules](../../T1556.003/T1556.003.md) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Multi-hop Proxy](../../T1090.003/T1090.003.md) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | Implant Internal Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
| | | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [SAML Tokens](../../T1606.002/T1606.002.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
atomics/Indexes/index.yaml
+24
View File
@@ -71022,6 +71022,30 @@ command-and-control:
stop-process -name "tor" | out-null
name: powershell
elevation_required: false
- name: Tor Proxy Usage - Debian/Ubuntu
auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
description: "This test is designed to launch the tor proxy service, which is
what is utilized in the background by the Tor Browser and other applications
with add-ons in order to provide onion routing functionality.\nUpon successful
execution, the tor proxy service will be launched. \n"
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: "Tor must be installed on the machine \n"
prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
exit 1; fi
'
get_prereq_command: 'sudo apt-get -y install tor
'
executor:
command: "sudo systemctl start tor \n"
cleanup_command: 'sudo systemctl stop tor
'
name: sh
T1026:
technique:
id: attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091
atomics/T1090.003/T1090.003.md
+47
View File
@@ -10,6 +10,8 @@ In the case of network infrastructure, particularly routers, it is possible for
- [Atomic Test #2 - Tor Proxy Usage - Windows](#atomic-test-2---tor-proxy-usage---windows)
- [Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu](#atomic-test-3---tor-proxy-usage---debianubuntu)
<br/>
@@ -121,4 +123,49 @@ expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
<br/>
<br/>
## Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy service will be launched.
**Supported Platforms:** Linux
**auto_generated_guid:** 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
#### Attack Commands: Run with `sh`!
```sh
sudo systemctl start tor
```
#### Cleanup Commands:
```sh
sudo systemctl stop tor
```
#### Dependencies: Run with `sh`!
##### Description: Tor must be installed on the machine
##### Check Prereq Commands:
```sh
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
sudo apt-get -y install tor
```
<br/>