security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updates based mitre v11

Browse Source
This commit is contained in:
Carrie Roberts
2022-06-15 17:25:38 -06:00
parent add51411df
commit 165c26be6a
10 changed files with 448615 additions and 368130 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomic_red_team/enterprise-attack.json
+448545 -367842
View File
File diff suppressed because it is too large Load Diff
atomics/T1053.001/T1053.001.md
-68
View File
@@ -1,68 +0,0 @@
# T1053.001 - At (Linux)
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/001)
<blockquote>Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)
An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.
Adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)</blockquote>
## Atomic Tests
- [Atomic Test #1 - At - Schedule a job](#atomic-test-1---at---schedule-a-job)
<br/>
## Atomic Test #1 - At - Schedule a job
This test submits a command to be run in the future by the `at` daemon.
**Supported Platforms:** Linux
**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| time_spec | Time specification of when the command should run | String | now + 1 minute|
| at_command | The command to be run | String | echo Hello from Atomic Red Team|
#### Attack Commands: Run with `sh`!
```sh
echo "#{at_command}" | at #{time_spec}
```
#### Dependencies: Run with `sh`!
##### Description: The `at` and `atd` executables must exist in the PATH
##### Check Prereq Commands:
```sh
which at && which atd
```
##### Get Prereq Commands:
```sh
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
```
##### Description: The `atd` daemon must be running
##### Check Prereq Commands:
```sh
systemctl status atd || service atd status
```
##### Get Prereq Commands:
```sh
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
```
<br/>
atomics/T1053.001/T1053.001.yaml
-43
View File
@@ -1,43 +0,0 @@
---
attack_technique: T1053.001
display_name: "Scheduled Task/Job: At (Linux)"
atomic_tests:
- name: At - Schedule a job
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
description: |
This test submits a command to be run in the future by the `at` daemon.
supported_platforms:
- linux
input_arguments:
time_spec:
description: Time specification of when the command should run
type: String
default: now + 1 minute
at_command:
description: The command to be run
type: String
default: echo Hello from Atomic Red Team
dependency_executor_name: sh
dependencies:
- description: |
The `at` and `atd` executables must exist in the PATH
prereq_command: |
which at && which atd
get_prereq_command: |
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
- description: |
The `atd` daemon must be running
prereq_command: |
systemctl status atd || service atd status
get_prereq_command: |
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
executor:
name: sh
elevation_required: false
command: |
echo "#{at_command}" | at #{time_spec}
atomics/T1053.002/T1053.002.yaml
+39 -1
View File
@@ -1,6 +1,6 @@
---
attack_technique: T1053.002
display_name: 'Scheduled Task/Job: At (Windows)'
display_name: 'Scheduled Task/Job: At'
atomic_tests:
- name: At.exe Scheduled task
@@ -17,3 +17,41 @@ atomic_tests:
elevation_required: false
command: |
at 13:20 /interactive cmd
- name: At - Schedule a job
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
description: |
This test submits a command to be run in the future by the `at` daemon.
supported_platforms:
- linux
input_arguments:
time_spec:
description: Time specification of when the command should run
type: String
default: now + 1 minute
at_command:
description: The command to be run
type: String
default: echo Hello from Atomic Red Team
dependency_executor_name: sh
dependencies:
- description: |
The `at` and `atd` executables must exist in the PATH
prereq_command: |
which at && which atd
get_prereq_command: |
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
- description: |
The `atd` daemon must be running
prereq_command: |
systemctl status atd || service atd status
get_prereq_command: |
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
executor:
name: sh
elevation_required: false
command: |
echo "#{at_command}" | at #{time_spec}
atomics/T1053.004/T1053.004.md
-54
View File
@@ -1,54 +0,0 @@
# T1053.004 - Launchd
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1053/004)
<blockquote>This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.
Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).
An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Event Monitor Daemon Persistence](#atomic-test-1---event-monitor-daemon-persistence)
<br/>
## Atomic Test #1 - Event Monitor Daemon Persistence
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
**Supported Platforms:** macOS
**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_location | evil plist location | Path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist|
| script_destination | Path where to move the evil plist | Path | /etc/emond.d/rules/atomicredteam_T1053_004.plist|
| empty_file | Random name of the empty file used to trigger emond service | String | randomflag|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
```
#### Cleanup Commands:
```bash
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
```
<br/>
atomics/T1053.004/T1053.004.yaml
-34
View File
@@ -1,34 +0,0 @@
---
attack_technique: T1053.004
display_name: 'Scheduled Task/Job: Launchd'
atomic_tests:
- name: Event Monitor Daemon Persistence
auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e
description: |
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
supported_platforms:
- macos
input_arguments:
script_location:
description: evil plist location
type: Path
default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
script_destination:
description: Path where to move the evil plist
type: Path
default: /etc/emond.d/rules/atomicredteam_T1053_004.plist
empty_file:
description: Random name of the empty file used to trigger emond service
type: String
default: randomflag
executor:
name: bash
elevation_required: true
command: |
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
cleanup_command: |
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
atomics/T1053.004/src/atomicredteam_T1053_004.plist
-43
View File
@@ -1,43 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>com.atomicredteam.t1053_004</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
<array>
<string>startup</string>
</array>
<key>actions</key>
<array>
<dict>
<key>command</key>
<string>/usr/bin/sleep</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>10</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
<dict>
<key>command</key>
<string>/usr/bin/touch</string>
<key>user</key>
<string>root</string>
<key>arguments</key>
<array>
<string>/tmp/T1053_004_atomicredteam</string>
</array>
<key>type</key>
<string>RunCommand</string>
</dict>
</array>
</dict>
</array>
</plist>
atomics/T1543.001/T1543.001.yaml
+29
View File
@@ -34,3 +34,32 @@ atomic_tests:
cleanup_command: |
sudo launchctl unload ~/Library/LaunchAgents/#{plist_filename}
sudo rm ~/Library/LaunchAgents/#{plist_filename}
- name: Event Monitor Daemon Persistence
auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e
description: |
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
supported_platforms:
- macos
input_arguments:
script_location:
description: evil plist location
type: Path
default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist
script_destination:
description: Path where to move the evil plist
type: Path
default: /etc/emond.d/rules/atomicredteam_T1053_004.plist
empty_file:
description: Random name of the empty file used to trigger emond service
type: String
default: randomflag
executor:
name: bash
elevation_required: true
command: |
sudo cp #{script_location} #{script_destination}
sudo touch /private/var/db/emondClients/#{empty_file}
cleanup_command: |
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
atomics/T1547.011/T1547.011.md
-43
View File
@@ -1,43 +0,0 @@
# T1547.011 - Plist Modification
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/011)
<blockquote>Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, <code>Info.plist</code>, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple's Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)
Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the <code>DYLD_INSERT_LIBRARIES</code> key combined with a path to a malicious dylib under the <code>EnvironmentVariables</code> key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the <code>LSEnvironment</code> key in the application's <code>Info.plist</code> file.(Citation: wardle artofmalware volume1)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Plist Modification](#atomic-test-1---plist-modification)
<br/>
## Atomic Test #1 - Plist Modification
Modify MacOS plist file in one of two directories
**Supported Platforms:** macOS
**auto_generated_guid:** 394a538e-09bb-4a4a-95d1-b93cf12682a8
#### Run it with these steps!
1. Modify a .plist in
/Library/Preferences
OR
~/Library/Preferences
2. Subsequently, follow the steps for adding and running via [Launch Agent](Persistence/Launch_Agent.md)
<br/>
atomics/T1547.011/T1547.011.yaml → atomics/T1647/T1647.yaml
+2 -2
View File
@@ -1,5 +1,5 @@
attack_technique: T1547.011
display_name: 'Boot or Logon Autostart Execution: Plist Modification'
attack_technique: T1547
display_name: Plist File Modification
atomic_tests:
- name: Plist Modification
auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8