security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-09-09 18:05:56 +00:00
parent 1605c05954
commit 217dc47106
6 changed files with 56 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -667,6 +667,7 @@ impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Consol
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,powershell
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
667 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
668 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
669 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
670 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 powershell
671 impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
672 impact T1496 Resource Hijacking 1 macOS/Linux - Simulate CPU Load with Yes 904a5a0e-fb02-490d-9f8d-0e256eb37549 bash
673 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -443,6 +443,7 @@ impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Consol
impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell
impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt
impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt
impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1c68c68d-83a4-4981-974e-8993055fa034,powershell
impact,T1491.001,Internal Defacement,1,Replace Desktop Wallpaper,30558d53-9d76-41c4-9267-a7bd5184bed3,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
443 impact T1490 Inhibit System Recovery 5 Windows - Delete Volume Shadow Copies via WMI with PowerShell 39a295ca-7059-4a88-86f6-09556c1211e7 powershell
444 impact T1490 Inhibit System Recovery 6 Windows - Delete Backup Files 6b1dbaf6-cc8a-4ea6-891f-6058569653bf command_prompt
445 impact T1490 Inhibit System Recovery 7 Windows - wbadmin Delete systemstatebackup 584331dd-75bc-4c02-9e0b-17f5fd81c748 command_prompt
446 impact T1490 Inhibit System Recovery 8 Windows - Disable the SR scheduled task 1c68c68d-83a4-4981-974e-8993055fa034 powershell
447 impact T1491.001 Internal Defacement 1 Replace Desktop Wallpaper 30558d53-9d76-41c4-9267-a7bd5184bed3 powershell
448 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
449 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1145,6 +1145,7 @@
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -808,6 +808,7 @@
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- Atomic Test #8: Windows - Disable the SR scheduled task [windows]
- [T1491.001 Internal Defacement](../../T1491.001/T1491.001.md)
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/index.yaml
+18
View File
@@ -50203,6 +50203,24 @@ impact:
'
name: command_prompt
elevation_required: true
- name: Windows - Disable the SR scheduled task
auto_generated_guid: 1c68c68d-83a4-4981-974e-8993055fa034
description: 'Use schtasks.exe to disable the System Restore (SR) scheduled
task
'
supported_platforms:
- windows
executor:
command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
'
cleanup_command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR"
/enable
'
name: powershell
elevation_required: true
T1491.001:
technique:
external_references:
atomics/T1490/T1490.md
+34
View File
@@ -25,6 +25,8 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #7 - Windows - wbadmin Delete systemstatebackup](#atomic-test-7---windows---wbadmin-delete-systemstatebackup)
- [Atomic Test #8 - Windows - Disable the SR scheduled task](#atomic-test-8---windows---disable-the-sr-scheduled-task)
<br/>
@@ -251,4 +253,36 @@ wbadmin delete systemstatebackup -keepVersions:0
<br/>
<br/>
## Atomic Test #8 - Windows - Disable the SR scheduled task
Use schtasks.exe to disable the System Restore (SR) scheduled task
**Supported Platforms:** Windows
**auto_generated_guid:** 1c68c68d-83a4-4981-974e-8993055fa034
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
```
#### Cleanup Commands:
```powershell
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable
```
<br/>