security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-04-29 22:39:13 +00:00
parent 69ce78765d
commit 09e643421c
26 changed files with 576 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1726-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1729-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-aws.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
{"name":"Atomic Red Team (Iaas:AWS)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:AWS) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1098","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}],"comment":"\n- AWS - Create a group and add a user to that group\n"},{"techniqueID":"T1098.001","score":1,"enabled":true,"comment":"\n- AWS - Create Access Key and Secret Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110/T1110.md"}]},{"techniqueID":"T1110.003","score":1,"enabled":true,"comment":"\n- AWS - Password Spray an AWS using GoAWSConsoleSpray\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1136","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md"}]},{"techniqueID":"T1136.003","score":1,"enabled":true,"comment":"\n- AWS - Create a new IAM user\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1201","score":1,"enabled":true,"comment":"\n- Examine AWS Password Policy\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1526","score":1,"enabled":true,"comment":"\n- AWS - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1530","score":1,"enabled":true,"comment":"\n- AWS - Scan for Anonymous Access to S3\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"comment":"\n- AWS - Retrieve EC2 Password Data using stratus\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1562","score":7,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.001","score":1,"enabled":true,"comment":"\n- AWS - GuardDuty Suspension or Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.008","score":6,"enabled":true,"comment":"\n- AWS - CloudTrail Changes\n- AWS - Disable CloudTrail Logging Through Event Selectors using Stratus\n- AWS - CloudTrail Logs Impairment Through S3 Lifecycle Rule using Stratus\n- AWS - Remove VPC Flow Logs using Stratus\n- AWS - CloudWatch Log Group Deletes\n- AWS CloudWatch Log Stream Deletes\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- AWS - Create Snapshot from EBS Volume\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1580","score":2,"enabled":true,"comment":"\n- AWS - EC2 Enumeration from Cloud Instance\n- AWS - EC2 Security Group Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1580/T1580.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- AWS S3 Enumeration\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]},{"techniqueID":"T1648","score":1,"enabled":true,"comment":"\n- Lambda Function Hijack\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1648/T1648.md"}]},{"techniqueID":"T1651","score":1,"enabled":true,"comment":"\n- AWS Run Command (and Control)\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1651/T1651.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-azure.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
{"name":"Atomic Red Team (Iaas:Azure)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:Azure) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":1,"enabled":true,"comment":"\n- Azure Persistence Automation Runbook Created or Modified\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":2,"enabled":true,"comment":"\n- Azure - adding user to Azure role in subscription\n- Azure - adding service principal to Azure role in subscription\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1526","score":2,"enabled":true,"comment":"\n- Azure - Dump Subscription Data with MicroBurst\n- Azure - Enumerate common cloud services\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1526/T1526.md"}]},{"techniqueID":"T1528","score":1,"enabled":true,"comment":"\n- Azure - Dump All Azure Key Vaults with Microburst\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1528/T1528.md"}]},{"techniqueID":"T1530","score":3,"enabled":true,"comment":"\n- Azure - Enumerate Azure Blobs with MicroBurst\n- Azure - Scan for Anonymous Access to Azure Storage (Powershell)\n- Azure - Dump Azure Storage Account Objects via Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1530/T1530.md"}]},{"techniqueID":"T1550","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550/T1550.md"}]},{"techniqueID":"T1550.001","score":2,"enabled":true,"comment":"\n- Azure - Functions code upload - Functions code injection via Blob upload\n- Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.001/T1550.001.md"}]},{"techniqueID":"T1552","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.005","score":1,"enabled":true,"comment":"\n- Azure - Dump Azure Instance Metadata from Virtual Machines\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.005/T1552.005.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- Azure - Eventhub Deletion\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- Azure - Create Snapshot from Managed Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]},{"techniqueID":"T1619","score":1,"enabled":true,"comment":"\n- Azure - Enumerate Storage Account Objects via Shared Key authorization using Azure CLI\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1619/T1619.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas-gcp.json
+1 -1
View File
@@ -1 +1 @@
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]}
{"name":"Atomic Red Team (Iaas:GCP)","versions":{"attack":"16","navigator":"5.1.0","layer":"4.5"},"description":"Atomic Red Team (Iaas:GCP) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1078","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078/T1078.md"}]},{"techniqueID":"T1078.004","score":2,"enabled":true,"comment":"\n- Creating GCP Service Account and Service Account Key\n- GCP - Create Custom IAM Role\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1098","score":1,"enabled":true,"comment":"\n- GCP - Delete Service Account Key\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1485","score":1,"enabled":true,"comment":"\n- GCP - Delete Bucket\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1562","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562/T1562.md"}]},{"techniqueID":"T1562.008","score":1,"enabled":true,"comment":"\n- GCP - Delete Activity Event Log\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1578","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578/T1578.md"}]},{"techniqueID":"T1578.001","score":1,"enabled":true,"comment":"\n- GCP - Create Snapshot from Persistent Disk\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1578.001/T1578.001.md"}]}]}
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/iaas-index.csv
+3
View File
@@ -8,6 +8,9 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,6,AWS - Remove VPC
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch Log Group Deletes,89422c87-b57b-4a04-a8ca-802bb9d06121,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,10,GCP - Delete Activity Event Log,d56152ec-01d9-42a2-877c-aac1f6ebe8e6,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
8 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 7 AWS - CloudWatch Log Group Deletes 89422c87-b57b-4a04-a8ca-802bb9d06121 sh
9 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 8 AWS CloudWatch Log Stream Deletes 33ca84bc-4259-4943-bd36-4655dc420932 sh
10 defense-evasion T1562.008 Impair Defenses: Disable Cloud Logs 10 GCP - Delete Activity Event Log d56152ec-01d9-42a2-877c-aac1f6ebe8e6 sh
11 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 1 AWS - Create Snapshot from EBS Volume a3c09662-85bb-4ea8-b15b-6dc8a844e236 sh
12 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 2 Azure - Create Snapshot from Managed Disk 89e69b4b-3458-4ec6-b819-b3008debc1bc sh
13 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 3 GCP - Create Snapshot from Persistent Disk e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d sh
14 defense-evasion T1550.001 Use Alternate Authentication Material: Application Access Token 1 Azure - Functions code upload - Functions code injection via Blob upload 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43 powershell
15 defense-evasion T1550.001 Use Alternate Authentication Material: Application Access Token 2 Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1 powershell
16 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
atomics/Indexes/Indexes-CSV/index.csv
+3
View File
@@ -638,6 +638,9 @@ defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,7,Show al
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,8,Hide Files Through Registry,f650456b-bd49-4bc1-ae9d-271b5b9581e7,command_prompt
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,9,Create Windows Hidden File with powershell,7f66d539-4fbe-4cfa-9a56-4a2bf660c58a,powershell
defense-evasion,T1564.001,Hide Artifacts: Hidden Files and Directories,10,Create Windows System File with powershell,d380c318-0b34-45cb-9dad-828c11891e43,powershell
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,1,AWS - Create Snapshot from EBS Volume,a3c09662-85bb-4ea8-b15b-6dc8a844e236,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,2,Azure - Create Snapshot from Managed Disk,89e69b4b-3458-4ec6-b819-b3008debc1bc,sh
defense-evasion,T1578.001,Modify Cloud Compute Infrastructure: Create Snapshot,3,GCP - Create Snapshot from Persistent Disk,e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d,sh
defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,1,Azure - Functions code upload - Functions code injection via Blob upload,9a5352e4-56e5-45c2-9b3f-41a46d3b3a43,powershell
defense-evasion,T1550.001,Use Alternate Authentication Material: Application Access Token,2,Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token,67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1,powershell
defense-evasion,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
638 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 8 Hide Files Through Registry f650456b-bd49-4bc1-ae9d-271b5b9581e7 command_prompt
639 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 9 Create Windows Hidden File with powershell 7f66d539-4fbe-4cfa-9a56-4a2bf660c58a powershell
640 defense-evasion T1564.001 Hide Artifacts: Hidden Files and Directories 10 Create Windows System File with powershell d380c318-0b34-45cb-9dad-828c11891e43 powershell
641 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 1 AWS - Create Snapshot from EBS Volume a3c09662-85bb-4ea8-b15b-6dc8a844e236 sh
642 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 2 Azure - Create Snapshot from Managed Disk 89e69b4b-3458-4ec6-b819-b3008debc1bc sh
643 defense-evasion T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot 3 GCP - Create Snapshot from Persistent Disk e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d sh
644 defense-evasion T1550.001 Use Alternate Authentication Material: Application Access Token 1 Azure - Functions code upload - Functions code injection via Blob upload 9a5352e4-56e5-45c2-9b3f-41a46d3b3a43 powershell
645 defense-evasion T1550.001 Use Alternate Authentication Material: Application Access Token 2 Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token 67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1 powershell
646 defense-evasion T1078.004 Valid Accounts: Cloud Accounts 1 Creating GCP Service Account and Service Account Key 9fdd83fd-bd53-46e5-a716-9dec89c8ae8e sh
atomics/Indexes/Indexes-Markdown/index.md
+4 -1
View File
@@ -826,7 +826,10 @@
- Atomic Test #8: Hide Files Through Registry [windows]
- Atomic Test #9: Create Windows Hidden File with powershell [windows]
- Atomic Test #10: Create Windows System File with powershell [windows]
- T1578.001 Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1578.001 Modify Cloud Compute Infrastructure: Create Snapshot](../../T1578.001/T1578.001.md)
- Atomic Test #1: AWS - Create Snapshot from EBS Volume [iaas:aws]
- Atomic Test #2: Azure - Create Snapshot from Managed Disk [iaas:azure]
- Atomic Test #3: GCP - Create Snapshot from Persistent Disk [iaas:gcp]
- [T1550.001 Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md)
- Atomic Test #1: Azure - Functions code upload - Functions code injection via Blob upload [iaas:azure]
- Atomic Test #2: Azure - Functions code upload - Functions code injection via File Share modification to retrieve the Functions identity access token [iaas:azure]
atomics/Indexes/Matrices/matrix.md
+1 -1
View File
@@ -188,7 +188,7 @@
| | | | | Domain or Tenant Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | |
| | | | | [Hide Artifacts: Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | |
| | | | | Create Snapshot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | | | [Modify Cloud Compute Infrastructure: Create Snapshot](../../T1578.001/T1578.001.md) | | | | | | | |
| | | | | [Use Alternate Authentication Material: Application Access Token](../../T1550.001/T1550.001.md) | | | | | | | |
| | | | | [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | | | | | | | |
| | | | | Environmental Keying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/azure-ad-index.yaml
+2 -1
View File
@@ -14024,7 +14024,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14084,6 +14084,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/containers-index.yaml
+2 -1
View File
@@ -13999,7 +13999,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14059,6 +14059,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/google-workspace-index.yaml
+2 -1
View File
@@ -13928,7 +13928,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13988,6 +13988,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/iaas-index.yaml
+2 -1
View File
@@ -13928,7 +13928,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13988,6 +13988,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/iaas_aws-index.yaml
+58 -2
View File
@@ -14298,7 +14298,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14358,7 +14358,63 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
atomic_tests: []
identifier: T1578.001
atomic_tests:
- name: AWS - Create Snapshot from EBS Volume
auto_generated_guid: a3c09662-85bb-4ea8-b15b-6dc8a844e236
description: |
Creates an EBS snapshot in AWS using the AWS CLI.
This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
supported_platforms:
- iaas:aws
input_arguments:
aws_region:
description: AWS region where the volume is located.
type: string
default: us-east-1
aws_volume_id:
description: The AWS EBS Volume ID to create a snapshot from.
type: string
default: vol-0123456789abcdef0
dependencies:
- description: AWS CLI must be installed.
prereq_command: 'if command -v aws > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"
'
- description: AWS CLI must be authenticated.
prereq_command: 'if aws sts get-caller-identity --region #{aws_region} > /dev/null
2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Configure AWS credentials with: aws configure"
'
- description: EBS volume must exist.
prereq_command: 'if aws ec2 describe-volumes --volume-ids #{aws_volume_id}
--region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the volume ID exists in the target AWS account
and region."
'
executor:
name: sh
elevation_required: false
command: 'aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id}
--description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output
text
'
cleanup_command: |
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
if [ "$SNAPSHOT_ID" != "None" ]; then
aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID"
fi
T1550.001:
technique:
modified: '2024-10-15T15:38:11.583Z'
atomics/Indexes/iaas_azure-index.yaml
+59 -2
View File
@@ -14008,7 +14008,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14068,7 +14068,64 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
atomic_tests: []
identifier: T1578.001
atomic_tests:
- name: Azure - Create Snapshot from Managed Disk
auto_generated_guid: 89e69b4b-3458-4ec6-b819-b3008debc1bc
description: |
Creates a snapshot of a managed disk in Azure using the Azure CLI.
Simulates adversary snapshotting behavior for persistence or data duplication.
supported_platforms:
- iaas:azure
input_arguments:
azure_resource_group:
description: The Azure resource group where the disk is located.
type: string
default: myResourceGroup
azure_disk_name:
description: The Azure disk name.
type: string
default: myDiskName
azure_snapshot_name:
description: The Azure snapshot name.
type: string
default: mySnapshotName
dependencies:
- description: Azure CLI must be installed.
prereq_command: 'if command -v az > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
'
- description: Azure CLI must be authenticated.
prereq_command: 'if az account show > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Login with: az login"
'
- description: Azure disk must exist.
prereq_command: 'if az disk show --resource-group #{azure_resource_group}
--name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the disk exists in the given resource group."
'
executor:
name: sh
elevation_required: false
command: 'az snapshot create --resource-group #{azure_resource_group} --name
#{azure_snapshot_name} --source #{azure_disk_name} --location eastus
'
cleanup_command: 'az snapshot delete --resource-group #{azure_resource_group}
--name #{azure_snapshot_name}
'
T1550.001:
technique:
modified: '2024-10-15T15:38:11.583Z'
atomics/Indexes/iaas_gcp-index.yaml
+58 -2
View File
@@ -13969,7 +13969,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14029,7 +14029,63 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
atomic_tests: []
identifier: T1578.001
atomic_tests:
- name: GCP - Create Snapshot from Persistent Disk
auto_generated_guid: e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
description: |
Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
Emulates adversary behavior to gain access to volume data or replicate environment state.
supported_platforms:
- iaas:gcp
input_arguments:
gcp_disk_name:
description: The Google Cloud disk name.
type: string
default: myDiskName
gcp_zone:
description: The Google Cloud zone where the disk is located.
type: string
default: us-central1-a
gcp_snapshot_name:
description: The Google Cloud snapshot name.
type: string
default: mySnapshotName
dependencies:
- description: gcloud CLI must be installed.
prereq_command: 'if command -v gcloud > /dev/null 2>&1; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install"
'
- description: gcloud CLI must be authenticated.
prereq_command: 'if gcloud auth list --filter=status:ACTIVE --format="value(account)"
| grep . > /dev/null; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Authenticate with: gcloud auth login"
'
- description: GCP disk must exist.
prereq_command: 'if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone}
> /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the disk exists in the specified zone."
'
executor:
name: sh
elevation_required: false
command: 'gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name}
--zone=#{gcp_zone}
'
cleanup_command: 'gcloud compute snapshots delete #{gcp_snapshot_name} --quiet
'
T1550.001:
technique:
modified: '2024-10-15T15:38:11.583Z'
atomics/Indexes/index.yaml
+169 -2
View File
@@ -31032,7 +31032,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -31092,7 +31092,174 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
atomic_tests: []
identifier: T1578.001
atomic_tests:
- name: AWS - Create Snapshot from EBS Volume
auto_generated_guid: a3c09662-85bb-4ea8-b15b-6dc8a844e236
description: |
Creates an EBS snapshot in AWS using the AWS CLI.
This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
supported_platforms:
- iaas:aws
input_arguments:
aws_region:
description: AWS region where the volume is located.
type: string
default: us-east-1
aws_volume_id:
description: The AWS EBS Volume ID to create a snapshot from.
type: string
default: vol-0123456789abcdef0
dependencies:
- description: AWS CLI must be installed.
prereq_command: 'if command -v aws > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"
'
- description: AWS CLI must be authenticated.
prereq_command: 'if aws sts get-caller-identity --region #{aws_region} > /dev/null
2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Configure AWS credentials with: aws configure"
'
- description: EBS volume must exist.
prereq_command: 'if aws ec2 describe-volumes --volume-ids #{aws_volume_id}
--region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the volume ID exists in the target AWS account
and region."
'
executor:
name: sh
elevation_required: false
command: 'aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id}
--description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output
text
'
cleanup_command: |
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
if [ "$SNAPSHOT_ID" != "None" ]; then
aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID"
fi
- name: Azure - Create Snapshot from Managed Disk
auto_generated_guid: 89e69b4b-3458-4ec6-b819-b3008debc1bc
description: |
Creates a snapshot of a managed disk in Azure using the Azure CLI.
Simulates adversary snapshotting behavior for persistence or data duplication.
supported_platforms:
- iaas:azure
input_arguments:
azure_resource_group:
description: The Azure resource group where the disk is located.
type: string
default: myResourceGroup
azure_disk_name:
description: The Azure disk name.
type: string
default: myDiskName
azure_snapshot_name:
description: The Azure snapshot name.
type: string
default: mySnapshotName
dependencies:
- description: Azure CLI must be installed.
prereq_command: 'if command -v az > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
'
- description: Azure CLI must be authenticated.
prereq_command: 'if az account show > /dev/null 2>&1; then exit 0; else exit
1; fi
'
get_prereq_command: 'echo "Login with: az login"
'
- description: Azure disk must exist.
prereq_command: 'if az disk show --resource-group #{azure_resource_group}
--name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the disk exists in the given resource group."
'
executor:
name: sh
elevation_required: false
command: 'az snapshot create --resource-group #{azure_resource_group} --name
#{azure_snapshot_name} --source #{azure_disk_name} --location eastus
'
cleanup_command: 'az snapshot delete --resource-group #{azure_resource_group}
--name #{azure_snapshot_name}
'
- name: GCP - Create Snapshot from Persistent Disk
auto_generated_guid: e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
description: |
Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
Emulates adversary behavior to gain access to volume data or replicate environment state.
supported_platforms:
- iaas:gcp
input_arguments:
gcp_disk_name:
description: The Google Cloud disk name.
type: string
default: myDiskName
gcp_zone:
description: The Google Cloud zone where the disk is located.
type: string
default: us-central1-a
gcp_snapshot_name:
description: The Google Cloud snapshot name.
type: string
default: mySnapshotName
dependencies:
- description: gcloud CLI must be installed.
prereq_command: 'if command -v gcloud > /dev/null 2>&1; then exit 0; else
exit 1; fi
'
get_prereq_command: 'echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install"
'
- description: gcloud CLI must be authenticated.
prereq_command: 'if gcloud auth list --filter=status:ACTIVE --format="value(account)"
| grep . > /dev/null; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Authenticate with: gcloud auth login"
'
- description: GCP disk must exist.
prereq_command: 'if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone}
> /dev/null 2>&1; then exit 0; else exit 1; fi
'
get_prereq_command: 'echo "Ensure the disk exists in the specified zone."
'
executor:
name: sh
elevation_required: false
command: 'gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name}
--zone=#{gcp_zone}
'
cleanup_command: 'gcloud compute snapshots delete #{gcp_snapshot_name} --quiet
'
T1550.001:
technique:
modified: '2024-10-15T15:38:11.583Z'
atomics/Indexes/linux-index.yaml
+2 -1
View File
@@ -17699,7 +17699,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -17759,6 +17759,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/macos-index.yaml
+2 -1
View File
@@ -16193,7 +16193,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -16253,6 +16253,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/office-365-index.yaml
+2 -1
View File
@@ -14109,7 +14109,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -14169,6 +14169,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/saas-index.yaml
+2 -1
View File
@@ -13928,7 +13928,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -13988,6 +13988,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/Indexes/windows-index.yaml
+2 -1
View File
@@ -25806,7 +25806,7 @@ defense-evasion:
T1578.001:
technique:
modified: '2024-10-15T15:53:44.870Z'
name: Create Snapshot
name: 'Modify Cloud Compute Infrastructure: Create Snapshot'
description: |-
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
@@ -25866,6 +25866,7 @@ defense-evasion:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_attack_spec_version: 3.2.0
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
identifier: T1578.001
atomic_tests: []
T1550.001:
technique:
atomics/T1578.001/T1578.001.md
+191 -81
View File
@@ -1,121 +1,231 @@
# T1578.001 - Modify Cloud Compute Infrastructure: Create Snapshot
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1578/001)
<blockquote>An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in Revert Cloud Instance where an adversary may revert to a snapshot to evade detection and remove evidenc...
<blockquote>
An adversary may Create Cloud Instance, mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.</blockquote>
An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.
An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)
</blockquote>
## Atomic Tests
- [Atomic Test #1 - AWS - Create EBS Snapshot](#atomic-test-1---aws---create-ebs-snapshot)
- [Atomic Test #2 - Azure - Create Managed Disk Snapshot](#atomic-test-2---azure---create-managed-disk-snapshot)
- [Atomic Test #3 - GCP - Create Persistent Disk Snapshot](#atomic-test-3---gcp---create-persistent-disk-snapshot)
- [Atomic Test #1 - AWS - Create Snapshot from EBS Volume](#atomic-test-1---aws---create-snapshot-from-ebs-volume)
- [Atomic Test #2 - Azure - Create Snapshot from Managed Disk](#atomic-test-2---azure---create-snapshot-from-managed-disk)
- [Atomic Test #3 - GCP - Create Snapshot from Persistent Disk](#atomic-test-3---gcp---create-snapshot-from-persistent-disk)
<br/>
## Atomic Test #1 - AWS - Create EBS Snapshot
Creates a snapshot of a specified EBS volume in AWS.
## Atomic Test #1 - AWS - Create Snapshot from EBS Volume
Creates an EBS snapshot in AWS using the AWS CLI.
This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
**Supported Platforms:** Iaas:aws
**auto_generated_guid:** a3c09662-85bb-4ea8-b15b-6dc8a844e236
**Supported Platforms:** iaas:aws
**auto_generated_guid:** 1dbd9e45-2be4-4924-83b3-ff6a1cd106a7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| aws_volume_id | The AWS EBS Volume ID to create a snapshot from | string | vol-0123456789abcdef0 |
| aws_region | AWS region where the volume is located | string | us-east-1 |
| aws_region | AWS region where the volume is located. | string | us-east-1|
| aws_volume_id | The AWS EBS Volume ID to create a snapshot from. | string | vol-0123456789abcdef0|
#### Attack Commands: Run with `sh`!
#### Attack Commands: Run with `sh`!
```sh
aws ec2 create-snapshot --region \#{aws_region} --volume-id \#{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text
aws ec2 create-snapshot --region #{aws_region} --volume-id #{aws_volume_id} --description "Atomic Red Team Test Snapshot" --query "SnapshotId" --output text
```
#### Cleanup Commands:
```sh
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region \#{aws_region} --filters "Name=volume-id,Values=\#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
aws ec2 delete-snapshot --region \#{aws_region} --snapshot-id "$SNAPSHOT_ID"
SNAPSHOT_ID=$(aws ec2 describe-snapshots --region #{aws_region} --filters "Name=volume-id,Values=#{aws_volume_id}" --query "Snapshots[0].SnapshotId" --output text)
if [ "$SNAPSHOT_ID" != "None" ]; then
aws ec2 delete-snapshot --region #{aws_region} --snapshot-id "$SNAPSHOT_ID"
fi
```
#### Dependencies: Run with `sh`!
##### Description: AWS CLI must be installed
#### Dependencies: Run with `sh`!
##### Description: AWS CLI must be installed.
##### Check Prereq Commands:
```sh
command -v aws
if command -v aws > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Description: The specified EBS volume must exist
##### Get Prereq Commands:
```sh
aws ec2 describe-volumes --volume-ids \#{aws_volume_id} --region \#{aws_region}
echo "Install AWS CLI: https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html"
```
<br/><br/>
## Atomic Test #2 - Azure - Create Managed Disk Snapshot
Creates a snapshot of a managed disk in Azure.
**Supported Platforms:** iaas:azure
**auto_generated_guid:** 5c5b1e22-38d9-4f70-97c5-2bc31d32ab29
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| azure_disk_name | The Azure disk name | string | myDiskName |
| azure_resource_group | The Azure resource group where the disk is located | string | myResourceGroup |
| azure_snapshot_name | The Azure snapshot name | string | mySnapshotName |
#### Attack Commands: Run with `sh`!
##### Description: AWS CLI must be authenticated.
##### Check Prereq Commands:
```sh
az snapshot create --resource-group \#{azure_resource_group} --name \#{azure_snapshot_name} --source \#{azure_disk_name} --location eastus
if aws sts get-caller-identity --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
```
#### Cleanup Commands:
##### Get Prereq Commands:
```sh
az snapshot delete --resource-group \#{azure_resource_group} --name \#{azure_snapshot_name}
echo "Configure AWS credentials with: aws configure"
```
#### Dependencies: Run with `sh`!
##### Description: Azure CLI must be installed
##### Description: EBS volume must exist.
##### Check Prereq Commands:
```sh
command -v az
if aws ec2 describe-volumes --volume-ids #{aws_volume_id} --region #{aws_region} > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Description: The specified disk must exist
##### Get Prereq Commands:
```sh
az disk show --resource-group \#{azure_resource_group} --name \#{azure_disk_name}
echo "Ensure the volume ID exists in the target AWS account and region."
```
<br/>
<br/>
## Atomic Test #2 - Azure - Create Snapshot from Managed Disk
Creates a snapshot of a managed disk in Azure using the Azure CLI.
Simulates adversary snapshotting behavior for persistence or data duplication.
**Supported Platforms:** Iaas:azure
**auto_generated_guid:** 89e69b4b-3458-4ec6-b819-b3008debc1bc
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| azure_resource_group | The Azure resource group where the disk is located. | string | myResourceGroup|
| azure_disk_name | The Azure disk name. | string | myDiskName|
| azure_snapshot_name | The Azure snapshot name. | string | mySnapshotName|
#### Attack Commands: Run with `sh`!
```sh
az snapshot create --resource-group #{azure_resource_group} --name #{azure_snapshot_name} --source #{azure_disk_name} --location eastus
```
#### Cleanup Commands:
```sh
az snapshot delete --resource-group #{azure_resource_group} --name #{azure_snapshot_name}
```
#### Dependencies: Run with `sh`!
##### Description: Azure CLI must be installed.
##### Check Prereq Commands:
```sh
if command -v az > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
echo "Install Azure CLI: https://learn.microsoft.com/en-us/cli/azure/install-azure-cli"
```
##### Description: Azure CLI must be authenticated.
##### Check Prereq Commands:
```sh
if az account show > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
echo "Login with: az login"
```
##### Description: Azure disk must exist.
##### Check Prereq Commands:
```sh
if az disk show --resource-group #{azure_resource_group} --name #{azure_disk_name} > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
echo "Ensure the disk exists in the given resource group."
```
<br/>
<br/>
## Atomic Test #3 - GCP - Create Snapshot from Persistent Disk
Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
Emulates adversary behavior to gain access to volume data or replicate environment state.
**Supported Platforms:** Iaas:gcp
**auto_generated_guid:** e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gcp_disk_name | The Google Cloud disk name. | string | myDiskName|
| gcp_zone | The Google Cloud zone where the disk is located. | string | us-central1-a|
| gcp_snapshot_name | The Google Cloud snapshot name. | string | mySnapshotName|
#### Attack Commands: Run with `sh`!
```sh
gcloud compute snapshots create #{gcp_snapshot_name} --source-disk=#{gcp_disk_name} --zone=#{gcp_zone}
```
#### Cleanup Commands:
```sh
gcloud compute snapshots delete #{gcp_snapshot_name} --quiet
```
#### Dependencies: Run with `sh`!
##### Description: gcloud CLI must be installed.
##### Check Prereq Commands:
```sh
if command -v gcloud > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
echo "Install gcloud CLI: https://cloud.google.com/sdk/docs/install"
```
##### Description: gcloud CLI must be authenticated.
##### Check Prereq Commands:
```sh
if gcloud auth list --filter=status:ACTIVE --format="value(account)" | grep . > /dev/null; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
echo "Authenticate with: gcloud auth login"
```
##### Description: GCP disk must exist.
##### Check Prereq Commands:
```sh
if gcloud compute disks describe #{gcp_disk_name} --zone=#{gcp_zone} > /dev/null 2>&1; then exit 0; else exit 1; fi
```
##### Get Prereq Commands:
```sh
echo "Ensure the disk exists in the specified zone."
```
<br/><br/>
## Atomic Test #3 - GCP - Create Persistent Disk Snapshot
Creates a snapshot of a persistent disk in Google Cloud Platform.
**Supported Platforms:** iaas:gcp
**auto_generated_guid:** 902c61df-c1bc-4e8b-9aa0-55e2e68e0934
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| gcp_disk_name | The Google Cloud disk name | string | myDiskName |
| gcp_zone | The GCP zone where the disk is located | string | us-central1-a |
| gcp_snapshot_name | The Google Cloud snapshot name | string | mySnapshotName |
#### Attack Commands: Run with `sh`!
```sh
gcloud compute snapshots create \#{gcp_snapshot_name} --source-disk=\#{gcp_disk_name} --zone=\#{gcp_zone}
```
#### Cleanup Commands:
```sh
gcloud compute snapshots delete \#{gcp_snapshot_name} --quiet
```
#### Dependencies: Run with `sh`!
##### Description: GCloud CLI must be installed
```sh
command -v gcloud
```
##### Description: The specified disk must exist
```sh
gcloud compute disks describe \#{gcp_disk_name} --zone=\#{gcp_zone}
```
<br/>
atomics/T1578.001/T1578.001.yaml
+3 -3
View File
@@ -2,7 +2,7 @@ attack_technique: T1578.001
display_name: "Modify Cloud Compute Infrastructure: Create Snapshot"
atomic_tests:
- name: AWS - Create Snapshot from EBS Volume
auto_generated_guid:
auto_generated_guid: a3c09662-85bb-4ea8-b15b-6dc8a844e236
description: |
Creates an EBS snapshot in AWS using the AWS CLI.
This simulates an adversary duplicating volume data via snapshots for persistence or exfiltration.
@@ -45,7 +45,7 @@ atomic_tests:
fi
- name: Azure - Create Snapshot from Managed Disk
auto_generated_guid:
auto_generated_guid: 89e69b4b-3458-4ec6-b819-b3008debc1bc
description: |
Creates a snapshot of a managed disk in Azure using the Azure CLI.
Simulates adversary snapshotting behavior for persistence or data duplication.
@@ -89,7 +89,7 @@ atomic_tests:
az snapshot delete --resource-group #{azure_resource_group} --name #{azure_snapshot_name}
- name: GCP - Create Snapshot from Persistent Disk
auto_generated_guid:
auto_generated_guid: e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d
description: |
Creates a snapshot of a persistent disk in GCP using the gcloud CLI.
Emulates adversary behavior to gain access to volume data or replicate environment state.
atomics/used_guids.txt
+3
View File
@@ -1751,3 +1751,6 @@ b877943f-0377-44f4-8477-f79db7f07c4d
070322a4-2c60-4c50-8ffb-c450a34fe7bf
9a5352e4-56e5-45c2-9b3f-41a46d3b3a43
67aaf4cb-54ce-42e2-ab56-e0a9bcc089b1
a3c09662-85bb-4ea8-b15b-6dc8a844e236
89e69b4b-3458-4ec6-b819-b3008debc1bc
e6fbc036-91e7-4ad3-b9cb-f7210f40dd5d