security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-11-07 14:39:00 +00:00
parent c03fb24928
commit 17b4c931b6
8 changed files with 71 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -958,6 +958,7 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd,6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
958 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
959 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
960 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
961 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
962 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
963 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
964 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -693,6 +693,7 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd,6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
693 credential-access T1003 OS Credential Dumping 1 Gsecdump 96345bfc-8ae7-4b6a-80b7-223200f24ef9 command_prompt
694 credential-access T1003 OS Credential Dumping 2 Credential Dumping with NPPSpy 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 powershell
695 credential-access T1003 OS Credential Dumping 3 Dump svchost.exe to gather RDP credentials d400090a-d8ca-4be0-982e-c70598a23de9 powershell
696 credential-access T1003 OS Credential Dumping 4 Retrieve Microsoft IIS Service Account Credentials Using AppCmd 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 powershell
697 credential-access T1539 Steal Web Session Cookie 1 Steal Firefox Cookies (Windows) 4b437357-f4e9-4c84-9fa6-9bcee6f826aa powershell
698 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
699 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1605,6 +1605,7 @@
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1170,6 +1170,7 @@
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd [windows]
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
atomics/Indexes/index.yaml
+20
View File
@@ -73197,6 +73197,26 @@ credential-access:
'
name: powershell
elevation_required: true
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: IIS must be installed prior to running the test
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed")
{exit 0} else {exit 1}
get_prereq_command: Install-WindowsFeature -name Web-Server -IncludeManagementTools
executor:
command: |-
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
name: powershell
elevation_required: true
T1171:
technique:
x_mitre_platforms:
atomics/T1003/T1003.md
+45
View File
@@ -13,6 +13,8 @@ Several of the tools mentioned in associated sub-techniques may be used by both
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd)
<br/>
@@ -172,4 +174,47 @@ Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
<br/>
<br/>
## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
**Supported Platforms:** Windows
**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
```
#### Dependencies: Run with `powershell`!
##### Description: IIS must be installed prior to running the test
##### Check Prereq Commands:
```powershell
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Install-WindowsFeature -name Web-Server -IncludeManagementTools
```
<br/>