Generated docs from job=generate-docs branch=master [ci skip]

2022-11-09 16:29:21 +00:00
parent 9f65cb32e3
commit 2b62e8a3c0
8 changed files with 300 additions and 14 deletions
@@ -979,11 +979,13 @@ credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump indivi
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
 credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
 credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
-credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1153,11 +1155,13 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
 discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
 discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
 discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
-discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
 discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
 discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
 discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
+discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
 discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
@@ -122,7 +122,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
 privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
 credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
 credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
-credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
+credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
@@ -142,7 +144,9 @@ discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
-discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
+discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
+discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
+discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
 discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
 discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
 discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
@@ -1641,11 +1641,13 @@
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Windows Internal Packet Capture [windows]
  - Atomic Test #5: Windows Internal pktmon capture [windows]
  - Atomic Test #6: Windows Internal pktmon set filter [windows]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
  - Atomic Test #1: Enumeration for Credentials in Registry [windows]
  - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
@@ -1881,11 +1883,13 @@
  - Atomic Test #3: System Service Discovery - systemctl [linux]
 - [T1040 Network Sniffing](../../T1040/T1040.md)
  - Atomic Test #1: Packet Capture Linux [linux]
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
  - Atomic Test #3: Packet Capture Windows Command Prompt [windows]
  - Atomic Test #4: Windows Internal Packet Capture [windows]
  - Atomic Test #5: Windows Internal pktmon capture [windows]
  - Atomic Test #6: Windows Internal pktmon set filter [windows]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
  - Atomic Test #1: Network Share Discovery [macos]
  - Atomic Test #2: Network Share Discovery - linux [linux]
@@ -384,7 +384,9 @@
 - T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
@@ -443,7 +445,9 @@
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
-  - Atomic Test #2: Packet Capture macOS [macos]
+  - Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
+  - Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
+  - Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
 - [T1135 Network Share Discovery](../../T1135/T1135.md)
  - Atomic Test #1: Network Share Discovery [macos]
 - T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -74822,7 +74822,7 @@ credential-access:
          tshark -c 5 -i #{interface}
        name: bash
        elevation_required: true
-    - name: Packet Capture macOS
+    - name: Packet Capture macOS using tcpdump or tshark
      auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
      description: |
        Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
@@ -74947,6 +74947,88 @@ credential-access:
        cleanup_command: pktmon filter remove
        name: command_prompt
        elevation_required: true
+    - name: Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
+      description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
+        seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Filtered Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
+      description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
+        and captures packets for a few seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -f -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
  T1552.002:
    technique:
      x_mitre_platforms:
@@ -83958,7 +84040,7 @@ discovery:
          tshark -c 5 -i #{interface}
        name: bash
        elevation_required: true
-    - name: Packet Capture macOS
+    - name: Packet Capture macOS using tcpdump or tshark
      auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
      description: |
        Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
@@ -84083,6 +84165,88 @@ discovery:
        cleanup_command: pktmon filter remove
        name: command_prompt
        elevation_required: true
+    - name: Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
+      description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
+        seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
+    - name: Filtered Packet Capture macOS using /dev/bpfN with sudo
+      auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
+      description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
+        and captures packets for a few seconds.
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        ifname:
+          description: Specify interface to perform PCAP on.
+          type: String
+          default: en0
+        csource_path:
+          description: Path to C program source
+          type: String
+          default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
+        program_path:
+          description: Path to compiled C program
+          type: String
+          default: "/tmp/t1040_macos_pcapdemo"
+      dependency_executor_name: bash
+      dependencies:
+      - description: 'compile C program
+
+          '
+        prereq_command: 'exit 1
+
+          '
+        get_prereq_command: 'cc #{csource_path} -o #{program_path}
+
+          '
+      executor:
+        command: 'sudo #{program_path} -f -i #{ifname} -t 3
+
+          '
+        cleanup_command: 'rm -f #{program_path}
+
+          '
+        name: bash
+        elevation_required: true
  T1135:
    technique:
      x_mitre_platforms:
@@ -12,7 +12,7 @@ In cloud-based environments, adversaries may still be able to use traffic mirror

 - [Atomic Test #1 - Packet Capture Linux](#atomic-test-1---packet-capture-linux)

- [Atomic Test #2 - Packet Capture macOS](#atomic-test-2---packet-capture-macos)
+- [Atomic Test #2 - Packet Capture macOS using tcpdump or tshark](#atomic-test-2---packet-capture-macos-using-tcpdump-or-tshark)

 - [Atomic Test #3 - Packet Capture Windows Command Prompt](#atomic-test-3---packet-capture-windows-command-prompt)

@@ -22,6 +22,10 @@ In cloud-based environments, adversaries may still be able to use traffic mirror

 - [Atomic Test #6 - Windows Internal pktmon set filter](#atomic-test-6---windows-internal-pktmon-set-filter)

+- [Atomic Test #7 - Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-7---packet-capture-macos-using-devbpfn-with-sudo)
+
+- [Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-8---filtered-packet-capture-macos-using-devbpfn-with-sudo)
+

 <br/>

@@ -73,7 +77,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
 <br/>
 <br/>

-## Atomic Test #2 - Packet Capture macOS
+## Atomic Test #2 - Packet Capture macOS using tcpdump or tshark
 Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.

 Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
@@ -285,4 +289,106 @@ pktmon filter remove



+<br/>
+<br/>
+
+## Atomic Test #7 - Packet Capture macOS using /dev/bpfN with sudo
+Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e6fe5095-545d-4c8b-a0ae-e863914be3aa
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ifname | Specify interface to perform PCAP on. | String | en0|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_macos_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -i #{ifname} -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+exit 1
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo
+Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e2480aee-23f3-4f34-80ce-de221e27cd19
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| ifname | Specify interface to perform PCAP on. | String | en0|
+| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
+| program_path | Path to compiled C program | String | /tmp/t1040_macos_pcapdemo|
+
+
+#### Attack Commands: Run with `bash`!  Elevation Required (e.g. root or admin) 
+
+
+```bash
+sudo #{program_path} -f -i #{ifname} -t 3
+```
+
+#### Cleanup Commands:
+```bash
+rm -f #{program_path}
+```
+
+
+
+#### Dependencies:  Run with `bash`!
+##### Description: compile C program
+##### Check Prereq Commands:
+```bash
+exit 1
+```
+##### Get Prereq Commands:
+```bash
+cc #{csource_path} -o #{program_path}
+```
+
+
+
+
 <br/>