Generate docs from job=validate_atomics_generate_docs branch=master

2019-11-05 17:14:33 +00:00
parent ac176d6536
commit 1663bf7d52
7 changed files with 211 additions and 43 deletions
@@ -0,0 +1,65 @@
 # T1531 - Account Access Removal
 ## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1531)
 <blockquote>Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
 Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)</blockquote>
 ## Atomic Tests
 - [Atomic Test #1 - Change User Password - Windows](#atomic-test-1---change-user-password---windows)
 - [Atomic Test #2 - Delete User - Windows](#atomic-test-2---delete-user---windows)
 <br/>
 ## Atomic Test #1 - Change User Password - Windows
 Changes the user password to hinder access attempts. Seen in use by LockerGoga.
 **Supported Platforms:** Windows
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | user_account | User account whose password will be changed. | string | Administrator|
 | new_password | New password for the specified account. | string | HuHuHUHoHo283283@dJD|
 #### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
 ```
 net.exe user #{user_account} #{new_password}
 ```
 #### Commands to Check Prerequisites:
 ```
 net.exe user #{user_account}
 ```
 <br/>
 <br/>
 ## Atomic Test #2 - Delete User - Windows
 Deletes a user account to prevent access.
 **Supported Platforms:** Windows
 #### Inputs
 | Name | Description | Type | Default Value | 
 |------|-------------|------|---------------|
 | user_account | User account to be deleted. | string | AtomicUser|
 #### Run it with `command_prompt`!  Elevation Required (e.g. root or admin) 
 ```
 net.exe user #{user_account} /delete
 ```
 #### Commands to Check Prerequisites:
 ```
 net.exe user #{user_account} /add
 net.exe user #{user_account} P@$$w0rd
 ```
 <br/>
@@ -436,7 +436,9 @@
  - Atomic Test #1: Web Shell Written to Disk [windows]
 # impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
  - Atomic Test #1: Change User Password - Windows [windows]
  - Atomic Test #2: Delete User - Windows [windows]
 - [T1485 Data Destruction](./T1485/T1485.md)
  - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
  - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
@@ -13019,30 +13019,23 @@ privilege-escalation:
 '
 impact:
-  '':
+  T1531:
    technique:
      x_mitre_data_sources:
-      - Packet capture
+      - Windows event logs
-      - Network protocol analysis
+      - Process command-line parameters
      - Process monitoring
      x_mitre_permissions_required:
      - User
      - Administrator
      - root
      - SYSTEM
-      name: Transmitted Data Manipulation
+      name: Account Access Removal
-      description: "Adversaries may alter data en route to storage or other systems
+      description: |-
-        in order to manipulate external outcomes or hide activity.(Citation: FireEye
+        Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
-        APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted
+
-        data, adversaries may attempt to affect a business process, organizational
+        Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)
-        understanding, and decision making. \n\nManipulation may be possible over
+      id: attack-pattern--b24e2a20-3b3d-4bf0-823b-1ed765398fb0
        a network connection or between system processes where there is an opportunity
        deploy a tool that will intercept and change information. The type of modification
        and the impact it will have depends on the target transmission mechanism as
        well as the goals and objectives of the adversary. For complex systems, an
        adversary would likely need special expertise and possibly access to specialized
        software related to the system that would typically be gained through a prolonged
        information gathering campaign in order to have the desired impact."
      id: attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8
      x_mitre_platforms:
      - Linux
      - macOS
@@ -13051,33 +13044,80 @@ impact:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_version: '1.0'
      x_mitre_impact_type:
-      - Integrity
+      - Availability
      type: attack-pattern
-      x_mitre_detection: Detecting the manipulation of data as at passes over a network
+      x_mitre_detection: |-
-        can be difficult without the appropriate tools. In some cases integrity verification
+        Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:
-        checks, such as file hashing, may be used on critical files as they transit
+
-        a network. With some critical processes involving transmission of data, manual
+        * Event ID 4723 - An attempt was made to change an account's password
-        or out-of-band integrity checking may be useful for identifying manipulated
+        * Event ID 4724 - An attempt was made to reset an account's password
-        data.
+        * Event ID 4726 - A user account was deleted
        * Event ID 4740 - A user account was locked out
        Alerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
-      created: '2019-04-09T16:08:20.824Z'
+      created: '2019-10-09T18:48:31.906Z'
      kill_chain_phases:
      - kill_chain_name: mitre-attack
        phase_name: impact
      external_references:
-      - source_name: mitre-attack
+      - external_id: T1531
-        external_id: T1493
+        source_name: mitre-attack
-        url: https://attack.mitre.org/techniques/T1493
+        url: https://attack.mitre.org/techniques/T1531
-      - source_name: FireEye APT38 Oct 2018
+      - source_name: CarbonBlack LockerGoga 2019
-        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
+        description: CarbonBlack Threat Analysis Unit. (2019, March 22). TAU Threat
-          November 6, 2018.'
+          Intelligence Notification – LockerGoga Ransomware. Retrieved April 16, 2019.
-        url: https://content.fireeye.com/apt/rpt-apt38
+        url: https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/
-      - description: Department of Justice. (2018, September 6). Criminal Complaint
+      - description: Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga.
-          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
+          Retrieved April 16, 2019.
-        source_name: DOJ Lazarus Sony 2018
+        source_name: Unit42 LockerGoga 2019
-        url: https://www.justice.gov/opa/press-release/file/1092091/download
+        url: https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
-      modified: '2019-06-20T16:56:29.277Z'
+      modified: '2019-10-14T23:29:24.908Z'
-    atomic_tests: []
+      identifier: T1531
    atomic_tests:
    - name: Change User Password - Windows
      description: 'Changes the user password to hinder access attempts. Seen in use
        by LockerGoga.
 '
      supported_platforms:
      - windows
      input_arguments:
        user_account:
          description: User account whose password will be changed.
          type: string
          default: Administrator
        new_password:
          description: New password for the specified account.
          type: string
          default: HuHuHUHoHo283283@dJD
      executor:
        name: command_prompt
        elevation_required: true
        prereq_command: 'net.exe user #{user_account}
 '
        command: 'net.exe user #{user_account} #{new_password}
 '
    - name: Delete User - Windows
      description: 'Deletes a user account to prevent access.
 '
      supported_platforms:
      - windows
      input_arguments:
        user_account:
          description: User account to be deleted.
          type: string
          default: AtomicUser
      executor:
        name: command_prompt
        elevation_required: true
        prereq_command: |
          net.exe user #{user_account} /add
          net.exe user #{user_account} P@$$w0rd
        command: 'net.exe user #{user_account} /delete'
  T1485:
    technique:
      x_mitre_data_sources:
@@ -13225,6 +13265,65 @@ impact:
      executor:
        name: bash
        command: dd of=#{file_to_overwrite} if=#{overwrite_source}
  '':
    technique:
      x_mitre_data_sources:
      - Packet capture
      - Network protocol analysis
      x_mitre_permissions_required:
      - User
      - Administrator
      - root
      - SYSTEM
      name: Transmitted Data Manipulation
      description: "Adversaries may alter data en route to storage or other systems
        in order to manipulate external outcomes or hide activity.(Citation: FireEye
        APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted
        data, adversaries may attempt to affect a business process, organizational
        understanding, and decision making. \n\nManipulation may be possible over
        a network connection or between system processes where there is an opportunity
        deploy a tool that will intercept and change information. The type of modification
        and the impact it will have depends on the target transmission mechanism as
        well as the goals and objectives of the adversary. For complex systems, an
        adversary would likely need special expertise and possibly access to specialized
        software related to the system that would typically be gained through a prolonged
        information gathering campaign in order to have the desired impact."
      id: attack-pattern--cc1e737c-236c-4e3b-83ba-32039a626ef8
      x_mitre_platforms:
      - Linux
      - macOS
      - Windows
      object_marking_refs:
      - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
      x_mitre_version: '1.0'
      x_mitre_impact_type:
      - Integrity
      type: attack-pattern
      x_mitre_detection: Detecting the manipulation of data as at passes over a network
        can be difficult without the appropriate tools. In some cases integrity verification
        checks, such as file hashing, may be used on critical files as they transit
        a network. With some critical processes involving transmission of data, manual
        or out-of-band integrity checking may be useful for identifying manipulated
        data.
      created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      created: '2019-04-09T16:08:20.824Z'
      kill_chain_phases:
      - kill_chain_name: mitre-attack
        phase_name: impact
      external_references:
      - source_name: mitre-attack
        external_id: T1493
        url: https://attack.mitre.org/techniques/T1493
      - source_name: FireEye APT38 Oct 2018
        description: 'FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved
          November 6, 2018.'
        url: https://content.fireeye.com/apt/rpt-apt38
      - description: Department of Justice. (2018, September 6). Criminal Complaint
          - United States of America v. PARK JIN HYOK. Retrieved March 29, 2019.
        source_name: DOJ Lazarus Sony 2018
        url: https://www.justice.gov/opa/press-release/file/1092091/download
      modified: '2019-06-20T16:56:29.277Z'
    atomic_tests: []
  T1490:
    technique:
      x_mitre_data_sources:
@@ -40,7 +40,7 @@
 - [T1100 Web Shell](./T1100/T1100.md)
 # impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
 - [T1485 Data Destruction](./T1485/T1485.md)
  - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -57,7 +57,7 @@
 - [T1100 Web Shell](./T1100/T1100.md)
 # impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
 - [T1485 Data Destruction](./T1485/T1485.md)
  - Atomic Test #5: macOS/Linux - Overwrite file with DD [centos, linux, macos, ubuntu]
 - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -295,7 +295,9 @@
  - Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
 # impact
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1531 Account Access Removal](./T1531/T1531.md)
  - Atomic Test #1: Change User Password - Windows [windows]
  - Atomic Test #2: Delete User - Windows [windows]
 - [T1485 Data Destruction](./T1485/T1485.md)
  - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
  - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]