security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-07-05 04:42:43 +00:00
parent 006e4c7057
commit 3d7cf65d31
16 changed files with 1220 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1590-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1594-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+8
View File
@@ -722,6 +722,7 @@ privilege-escalation,T1547.009,Boot or Logon Autostart Execution: Shortcut Modif
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
privilege-escalation,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
privilege-escalation,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
privilege-escalation,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
@@ -851,10 +852,13 @@ privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,4,COM hijacking via TreatAs,33eacead-f117-4863-8eb0-5c6304fbfaa9,powershell
privilege-escalation,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
privilege-escalation,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt
privilege-escalation,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
@@ -1079,6 +1083,7 @@ persistence,T1547.009,Boot or Logon Autostart Execution: Shortcut Modification,2
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,1,Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell
persistence,T1547.005,Boot or Logon Autostart Execution: Security Support Provider,2,Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry,de3f8e74-3351-4fdb-a442-265dbf231738,powershell
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
persistence,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
persistence,T1505.003,Server Software Component: Web Shell,1,Web Shell Written to Disk,0a2ce662-1efa-496f-a472-2fe7b080db16,command_prompt
persistence,T1078.001,Valid Accounts: Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
@@ -1197,6 +1202,8 @@ persistence,T1546.015,Event Triggered Execution: Component Object Model Hijackin
persistence,T1137.004,Office Application Startup: Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt
persistence,T1574.009,Hijack Execution Flow: Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
@@ -1205,6 +1212,7 @@ persistence,T1546.010,Event Triggered Execution: AppInit DLLs,1,Install AppInit
persistence,T1546.002,Event Triggered Execution: Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3a,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
722 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
723 privilege-escalation T1547.005 Boot or Logon Autostart Execution: Security Support Provider 2 Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry de3f8e74-3351-4fdb-a442-265dbf231738 powershell
724 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
725 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 2 Launch Daemon - Users Directory 6f899f9d-8a8e-4143-89a5-26fc2c3ec438 bash
726 privilege-escalation T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
727 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
728 privilege-escalation T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
852 privilege-escalation T1546.015 Event Triggered Execution: Component Object Model Hijacking 4 COM hijacking via TreatAs 33eacead-f117-4863-8eb0-5c6304fbfaa9 powershell
853 privilege-escalation T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
854 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
855 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
856 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
857 privilege-escalation T1546.010 Event Triggered Execution: AppInit DLLs 1 Install AppInit Shim a58d9386-3080-4242-ab5f-454c16503d18 command_prompt
858 privilege-escalation T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
859 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
860 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
861 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
862 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
863 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
864 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
1083 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 1 Modify HKLM:\System\CurrentControlSet\Control\Lsa Security Support Provider configuration in registry afdfd7e3-8a0b-409f-85f7-886fdf249c9e powershell
1084 persistence T1547.005 Boot or Logon Autostart Execution: Security Support Provider 2 Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry de3f8e74-3351-4fdb-a442-265dbf231738 powershell
1085 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
1086 persistence T1543.004 Create or Modify System Process: Launch Daemon 2 Launch Daemon - Users Directory 6f899f9d-8a8e-4143-89a5-26fc2c3ec438 bash
1087 persistence T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
1088 persistence T1505.003 Server Software Component: Web Shell 1 Web Shell Written to Disk 0a2ce662-1efa-496f-a472-2fe7b080db16 command_prompt
1089 persistence T1078.001 Valid Accounts: Default Accounts 1 Enable Guest account with RDP capability and admin privileges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
1202 persistence T1137.004 Office Application Startup: Outlook Home Page 1 Install Outlook Home Page Persistence 7a91ad51-e6d2-4d43-9471-f26362f5738e command_prompt
1203 persistence T1574.009 Hijack Execution Flow: Path Interception by Unquoted Path 1 Execution of program.exe as service with unquoted service path 2770dea7-c50f-457b-84c4-c40a47460d9f command_prompt
1204 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
1205 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
1206 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
1207 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
1208 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
1209 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
1212 persistence T1546.002 Event Triggered Execution: Screensaver 1 Set Arbitrary Binary as Screensaver 281201e7-de41-4dc9-b73d-f288938cbb64 command_prompt
1213 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
1214 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
1215 persistence T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
1216 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
1217 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 2 rc.common c33f3d80-5f04-419b-a13a-854d1cbdbf3a bash
1218 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 3 rc.local 126f71af-e1c9-405c-94ef-26a47b16c102 sh
atomics/Indexes/Indexes-CSV/macos-index.csv
+8
View File
@@ -93,6 +93,7 @@ persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN,3d456e2b-a7db-4af8-b5b3-720e7c4d9da5,manual
persistence,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
persistence,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
persistence,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
persistence,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
persistence,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
persistence,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
@@ -106,8 +107,11 @@ persistence,T1547.006,Boot or Logon Autostart Execution: Kernel Modules and Exte
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
persistence,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
persistence,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
persistence,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
persistence,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
persistence,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
@@ -151,6 +155,7 @@ privilege-escalation,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab
privilege-escalation,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1037.002,Boot or Logon Initialization Scripts: Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
privilege-escalation,T1543.004,Create or Modify System Process: Launch Daemon,2,Launch Daemon - Users Directory,6f899f9d-8a8e-4143-89a5-26fc2c3ec438,bash
privilege-escalation,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
privilege-escalation,T1546.005,Event Triggered Execution: Trap,1,Trap EXIT,a74b2e07-5952-4c03-8b56-56274b076b61,sh
privilege-escalation,T1546.005,Event Triggered Execution: Trap,3,Trap SIGINT,a547d1ba-1d7a-4cc5-a9cb-8d65e8809636,sh
@@ -166,8 +171,11 @@ privilege-escalation,T1547.006,Boot or Logon Autostart Execution: Kernel Modules
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile .bashrc and .shrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,2,Add launch script to launch daemon,fc369906-90c7-4a15-86fd-d37da624dde6,bash
privilege-escalation,T1037.005,Boot or Logon Initialization Scripts: Startup Items,3,Add launch script to launch agent,10cf5bec-49dd-4ebf-8077-8f47e420096f,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,2,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
privilege-escalation,T1543.001,Create or Modify System Process: Launch Agent,3,Launch Agent - Root Directory,66774fa8-c562-4bae-a58d-5264a0dd9dd7,bash
privilege-escalation,T1037.004,Boot or Logon Initialization Scripts: Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,1,Copy in loginwindow.plist for Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,sh
privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Applications,2,Re-Opened Applications using LoginHook,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
93 persistence T1176 Browser Extensions 4 Edge Chromium Addon - VPN 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 manual
94 persistence T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
95 persistence T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
96 persistence T1543.004 Create or Modify System Process: Launch Daemon 2 Launch Daemon - Users Directory 6f899f9d-8a8e-4143-89a5-26fc2c3ec438 bash
97 persistence T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
98 persistence T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
99 persistence T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
107 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
108 persistence T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
109 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
110 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
111 persistence T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
112 persistence T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
113 persistence T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
114 persistence T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
115 persistence T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
116 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
117 persistence T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
155 privilege-escalation T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
156 privilege-escalation T1037.002 Boot or Logon Initialization Scripts: Logon Script (Mac) 1 Logon Scripts - Mac f047c7de-a2d9-406e-a62b-12a09d9516f4 manual
157 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 1 Launch Daemon 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf bash
158 privilege-escalation T1543.004 Create or Modify System Process: Launch Daemon 2 Launch Daemon - Users Directory 6f899f9d-8a8e-4143-89a5-26fc2c3ec438 bash
159 privilege-escalation T1078.001 Valid Accounts: Default Accounts 3 Enable Guest Account on macOS 0315bdff-4178-47e9-81e4-f31a6d23f7e4 command_prompt
160 privilege-escalation T1546.005 Event Triggered Execution: Trap 1 Trap EXIT a74b2e07-5952-4c03-8b56-56274b076b61 sh
161 privilege-escalation T1546.005 Event Triggered Execution: Trap 3 Trap SIGINT a547d1ba-1d7a-4cc5-a9cb-8d65e8809636 sh
171 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 1 Add command to .bash_profile 94500ae1-7e31-47e3-886b-c328da46872f sh
172 privilege-escalation T1546.004 Event Triggered Execution: .bash_profile .bashrc and .shrc 2 Add command to .bashrc 0a898315-4cfa-4007-bafe-33a4646d115f sh
173 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 1 Add file to Local Library StartupItems 134627c3-75db-410e-bff8-7a920075f198 sh
174 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 2 Add launch script to launch daemon fc369906-90c7-4a15-86fd-d37da624dde6 bash
175 privilege-escalation T1037.005 Boot or Logon Initialization Scripts: Startup Items 3 Add launch script to launch agent 10cf5bec-49dd-4ebf-8077-8f47e420096f bash
176 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 1 Launch Agent a5983dee-bf6c-4eaf-951c-dbc1a7b90900 bash
177 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 2 Event Monitor Daemon Persistence 11979f23-9b9d-482a-9935-6fc9cd022c3e bash
178 privilege-escalation T1543.001 Create or Modify System Process: Launch Agent 3 Launch Agent - Root Directory 66774fa8-c562-4bae-a58d-5264a0dd9dd7 bash
179 privilege-escalation T1037.004 Boot or Logon Initialization Scripts: Rc.common 1 rc.common 97a48daa-8bca-4bc0-b1a9-c1d163e762de bash
180 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 1 Copy in loginwindow.plist for Re-Opened Applications 5fefd767-ef54-4ac6-84d3-751ab85e8aba sh
181 privilege-escalation T1547.007 Boot or Logon Autostart Execution: Re-opened Applications 2 Re-Opened Applications using LoginHook 5f5b71da-e03f-42e7-ac98-d63f9e0465cb sh
atomics/Indexes/Indexes-Markdown/index.md
+8
View File
@@ -954,6 +954,7 @@
- Atomic Test #2: Modify HKLM:\System\CurrentControlSet\Control\Lsa\OSConfig Security Support Provider configuration in registry [windows]
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- Atomic Test #2: Launch Daemon - Users Directory [macos]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1484.001 Domain Policy Modification: Group Policy Modification](../../T1484.001/T1484.001.md)
@@ -1131,6 +1132,8 @@
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.010 Event Triggered Execution: AppInit DLLs](../../T1546.010/T1546.010.md)
@@ -1140,6 +1143,7 @@
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1055.009 Proc Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
@@ -1468,6 +1472,7 @@
- T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- Atomic Test #2: Launch Daemon - Users Directory [macos]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- [T1505.003 Server Software Component: Web Shell](../../T1505.003/T1505.003.md)
@@ -1633,6 +1638,8 @@
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1037.003 Network Logon Script [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1197 BITS Jobs](../../T1197/T1197.md)
@@ -1648,6 +1655,7 @@
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/macos-index.md
+8
View File
@@ -200,6 +200,7 @@
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- Atomic Test #2: Launch Daemon - Users Directory [macos]
- T1505.003 Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
@@ -234,10 +235,13 @@
- Atomic Test #2: Add command to .bashrc [macos, linux]
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1505 Server Software Component [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
@@ -386,6 +390,7 @@
- T1055 Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.004 Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md)
- Atomic Test #1: Launch Daemon [macos]
- Atomic Test #2: Launch Daemon - Users Directory [macos]
- [T1078.001 Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #3: Enable Guest Account on macOS [macos]
- [T1546.005 Event Triggered Execution: Trap](../../T1546.005/T1546.005.md)
@@ -418,10 +423,13 @@
- T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.005 Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md)
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- Atomic Test #2: Add launch script to launch daemon [macos]
- Atomic Test #3: Add launch script to launch agent [macos]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1543.001 Create or Modify System Process: Launch Agent](../../T1543.001/T1543.001.md)
- Atomic Test #1: Launch Agent [macos]
- Atomic Test #2: Event Monitor Daemon Persistence [macos]
- Atomic Test #3: Launch Agent - Root Directory [macos]
- T1546.016 Installer Packages [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1037.004 Boot or Logon Initialization Scripts: Rc.common](../../T1037.004/T1037.004.md)
- Atomic Test #1: rc.common [macos]
atomics/Indexes/index.yaml
+450 -2
View File
@@ -37579,6 +37579,47 @@ privilege-escalation:
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
- name: Launch Daemon - Users Directory
auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
description: 'Utilize LaunchDaemon in /Users directory to touch temporary file
in /tmp
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.004.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
cleanup_command: |-
sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
sudo rm ~/Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
T1574.008:
technique:
modified: '2023-05-09T14:00:00.188Z'
@@ -45830,7 +45871,6 @@ privilege-escalation:
auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
description: |
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
@@ -45843,6 +45883,142 @@ privilege-escalation:
'
name: sh
elevation_required: true
- name: Add launch script to launch daemon
auto_generated_guid: fc369906-90c7-4a15-86fd-d37da624dde6
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
cleanup_command: |
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
- name: Add launch script to launch agent
auto_generated_guid: 10cf5bec-49dd-4ebf-8077-8f47e420096f
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
cleanup_command: |-
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
T1078.002:
technique:
modified: '2023-08-14T14:55:07.432Z'
@@ -46396,6 +46572,54 @@ privilege-escalation:
cleanup_command: |-
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
- name: Launch Agent - Root Directory
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
description: 'Create a plist and execute it
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.001.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/LaunchAgents must exist\n"
prereq_command: 'if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/LaunchAgents"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
cleanup_command: |
launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
T1055.009:
technique:
x_mitre_platforms:
@@ -61141,6 +61365,47 @@ persistence:
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
- name: Launch Daemon - Users Directory
auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
description: 'Utilize LaunchDaemon in /Users directory to touch temporary file
in /tmp
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.004.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
cleanup_command: |-
sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
sudo rm ~/Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
T1574.008:
technique:
modified: '2023-05-09T14:00:00.188Z'
@@ -68976,7 +69241,6 @@ persistence:
auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
description: |
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
@@ -68989,6 +69253,142 @@ persistence:
'
name: sh
elevation_required: true
- name: Add launch script to launch daemon
auto_generated_guid: fc369906-90c7-4a15-86fd-d37da624dde6
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
cleanup_command: |
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
- name: Add launch script to launch agent
auto_generated_guid: 10cf5bec-49dd-4ebf-8077-8f47e420096f
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
cleanup_command: |-
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
T1078.002:
technique:
modified: '2023-08-14T14:55:07.432Z'
@@ -69845,6 +70245,54 @@ persistence:
cleanup_command: |-
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
- name: Launch Agent - Root Directory
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
description: 'Create a plist and execute it
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.001.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/LaunchAgents must exist\n"
prereq_command: 'if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/LaunchAgents"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
cleanup_command: |
launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
T1505:
technique:
modified: '2022-11-08T14:00:00.188Z'
atomics/Indexes/macos-index.yaml
+450 -2
View File
@@ -20095,6 +20095,47 @@ privilege-escalation:
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
- name: Launch Daemon - Users Directory
auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
description: 'Utilize LaunchDaemon in /Users directory to touch temporary file
in /tmp
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.004.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
cleanup_command: |-
sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
sudo rm ~/Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
T1574.008:
technique:
modified: '2023-05-09T14:00:00.188Z'
@@ -24524,7 +24565,6 @@ privilege-escalation:
auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
description: |
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
@@ -24537,6 +24577,142 @@ privilege-escalation:
'
name: sh
elevation_required: true
- name: Add launch script to launch daemon
auto_generated_guid: fc369906-90c7-4a15-86fd-d37da624dde6
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
cleanup_command: |
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
- name: Add launch script to launch agent
auto_generated_guid: 10cf5bec-49dd-4ebf-8077-8f47e420096f
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
cleanup_command: |-
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
T1078.002:
technique:
modified: '2023-08-14T14:55:07.432Z'
@@ -24997,6 +25173,54 @@ privilege-escalation:
cleanup_command: |-
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
- name: Launch Agent - Root Directory
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
description: 'Create a plist and execute it
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.001.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/LaunchAgents must exist\n"
prereq_command: 'if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/LaunchAgents"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
cleanup_command: |
launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
T1055.009:
technique:
x_mitre_platforms:
@@ -33359,6 +33583,47 @@ persistence:
sudo launchctl unload /Library/LaunchDaemons/#{plist_filename}
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
- name: Launch Daemon - Users Directory
auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
description: 'Utilize LaunchDaemon in /Users directory to touch temporary file
in /tmp
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.004.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist"
dependency_executor_name: bash
dependencies:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
cleanup_command: |-
sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
sudo rm ~/Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
T1574.008:
technique:
modified: '2023-05-09T14:00:00.188Z'
@@ -37471,7 +37736,6 @@ persistence:
auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198
description: |
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
@@ -37484,6 +37748,142 @@ persistence:
'
name: sh
elevation_required: true
- name: Add launch script to launch daemon
auto_generated_guid: fc369906-90c7-4a15-86fd-d37da624dde6
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
cleanup_command: |
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
- name: Add launch script to launch agent
auto_generated_guid: 10cf5bec-49dd-4ebf-8077-8f47e420096f
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
supported_platforms:
- macos
input_arguments:
path_malicious_script:
description: Name of script to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh"
path_malicious_plist:
description: Name of file to store in /tmp
type: string
default: "$PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist"
path_startup_params:
description: Name of plist with startup params
type: string
default: "$PathToAtomicsFolder/T1037.005/src/StartupParameters.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/StartupItems must exist\n"
prereq_command: 'if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/StartupItems"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
- description: 'The startup script must exist on disk at specified location
(#{path_malicious_script})
'
prereq_command: 'if [ -f #{path_malicious_script} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The startup script doesn''t exist. Check the path
and try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
cleanup_command: |-
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
T1078.002:
technique:
modified: '2023-08-14T14:55:07.432Z'
@@ -38122,6 +38522,54 @@ persistence:
cleanup_command: |-
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
- name: Launch Agent - Root Directory
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
description: 'Create a plist and execute it
'
supported_platforms:
- macos
input_arguments:
plist_filename:
description: filename
type: string
default: com.atomicredteam.T1543.001.plist
path_malicious_plist:
description: Name of file to store in cron folder
type: string
default: "$PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist"
dependency_executor_name: bash
dependencies:
- description: "/Library/LaunchAgents must exist\n"
prereq_command: 'if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents;
exit 0; fi;
'
get_prereq_command: 'echo "Failed to create /Library/LaunchAgents"; exit 1;
'
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
'
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
'
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
'
executor:
name: bash
elevation_required: true
command: |
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
cleanup_command: |
launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
T1505:
technique:
modified: '2022-11-08T14:00:00.188Z'
atomics/T1037.005/T1037.005.md
+158 -1
View File
@@ -10,12 +10,15 @@ An adversary can create the appropriate folders/files in the StartupItems direct
- [Atomic Test #1 - Add file to Local Library StartupItems](#atomic-test-1---add-file-to-local-library-startupitems)
- [Atomic Test #2 - Add launch script to launch daemon](#atomic-test-2---add-launch-script-to-launch-daemon)
- [Atomic Test #3 - Add launch script to launch agent](#atomic-test-3---add-launch-script-to-launch-agent)
<br/>
## Atomic Test #1 - Add file to Local Library StartupItems
Modify or create an file in /Library/StartupItems
[Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
@@ -44,4 +47,158 @@ sudo rm /Library/StartupItems/EvilStartup.plist
<br/>
<br/>
## Atomic Test #2 - Add launch script to launch daemon
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
**auto_generated_guid:** fc369906-90c7-4a15-86fd-d37da624dde6
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_malicious_script | Name of script to store in cron folder | string | $PathToAtomicsFolder/T1037.005/src/T1037.005_daemon.sh|
| path_malicious_plist | Name of file to store in /tmp | string | $PathToAtomicsFolder/T1037.005/src/T1037_005_daemon.plist|
| path_startup_params | Name of plist with startup params | string | $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_daemon.plist
sudo /Library/StartupItems/atomic.sh start
```
#### Cleanup Commands:
```bash
sudo launchctl unload /tmp/T1037_005_daemon.plist
sudo rm /tmp/T1037_005_daemon.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
```
#### Dependencies: Run with `bash`!
##### Description: /Library/StartupItems must exist
##### Check Prereq Commands:
```bash
if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
```
##### Get Prereq Commands:
```bash
echo "Failed to create /Library/StartupItems"; exit 1;
```
##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
```
##### Description: The startup script must exist on disk at specified location (#{path_malicious_script})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The startup script doesn't exist. Check the path and try again."; exit 1;
```
<br/>
<br/>
## Atomic Test #3 - Add launch script to launch agent
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
**Supported Platforms:** macOS
**auto_generated_guid:** 10cf5bec-49dd-4ebf-8077-8f47e420096f
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| path_malicious_script | Name of script to store in cron folder | string | $PathToAtomicsFolder/T1037.005/src/T1037.005_agent.sh|
| path_malicious_plist | Name of file to store in /tmp | string | $PathToAtomicsFolder/T1037.005/src/T1037_005_agent.plist|
| path_startup_params | Name of plist with startup params | string | $PathToAtomicsFolder/T1037.005/src/StartupParameters.plist|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{path_startup_params} /Library/StartupItems/StartupParameters.plist
sudo cp #{path_malicious_script} /Library/StartupItems/atomic.sh
sudo cp #{path_malicious_plist} /tmp/T1037_005_agent.plist
/Library/StartupItems/atomic.sh start
```
#### Cleanup Commands:
```bash
sudo launchctl unload /tmp/T1037_005_agent.plist
sudo rm /tmp/T1037_005_agent.plist
sudo rm /Library/StartupItems/atomic.sh
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_agent.txt
```
#### Dependencies: Run with `bash`!
##### Description: /Library/StartupItems must exist
##### Check Prereq Commands:
```bash
if [ ! -d /Library/StartupItems ]; then mkdir /Library/StartupItems; exit 0; fi;
```
##### Get Prereq Commands:
```bash
echo "Failed to create /Library/StartupItems"; exit 1;
```
##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
```
##### Description: The startup script must exist on disk at specified location (#{path_malicious_script})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_script} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The startup script doesn't exist. Check the path and try again."; exit 1;
```
<br/>
atomics/T1037.005/T1037.005.yaml
+2 -2
View File
@@ -16,7 +16,7 @@ atomic_tests:
name: sh
elevation_required: true
- name: Add launch script to launch daemon
auto_generated_guid:
auto_generated_guid: fc369906-90c7-4a15-86fd-d37da624dde6
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
@@ -70,7 +70,7 @@ atomic_tests:
sudo rm /Library/StartupItems/StartupParameters.plist
sudo rm /tmp/T1037_005_daemon.txt
- name: Add launch script to launch agent
auto_generated_guid:
auto_generated_guid: 10cf5bec-49dd-4ebf-8077-8f47e420096f
description: |
Add launch script to /Library/StartupItems to launch agent
[Example](https://cybersecurity.att.com/blogs/labs-research/diversity-in-recent-mac-malware)
atomics/T1543.001/T1543.001.md
+64
View File
@@ -12,6 +12,8 @@ Adversaries may install a new Launch Agent that executes at login by placing a .
- [Atomic Test #2 - Event Monitor Daemon Persistence](#atomic-test-2---event-monitor-daemon-persistence)
- [Atomic Test #3 - Launch Agent - Root Directory](#atomic-test-3---launch-agent---root-directory)
<br/>
@@ -106,4 +108,66 @@ sudo rm /private/var/db/emondClients/#{empty_file}
<br/>
<br/>
## Atomic Test #3 - Launch Agent - Root Directory
Create a plist and execute it
**Supported Platforms:** macOS
**auto_generated_guid:** 66774fa8-c562-4bae-a58d-5264a0dd9dd7
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| plist_filename | filename | string | com.atomicredteam.T1543.001.plist|
| path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{path_malicious_plist} /Library/LaunchAgents/#{plist_filename}
launchctl load -w /Library/LaunchAgents/#{plist_filename}
```
#### Cleanup Commands:
```bash
launchctl unload /Library/LaunchAgents/#{plist_filename}
sudo rm /Library/LaunchAgents/#{plist_filename}
sudo rm /tmp/T1543_001_atomicredteam.txt
```
#### Dependencies: Run with `bash`!
##### Description: /Library/LaunchAgents must exist
##### Check Prereq Commands:
```bash
if [ ! -d /Library/LaunchAgents ]; then mkdir /Library/LaunchAgents; exit 0; fi;
```
##### Get Prereq Commands:
```bash
echo "Failed to create /Library/LaunchAgents"; exit 1;
```
##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
```
<br/>
atomics/T1543.001/T1543.001.yaml
+1 -1
View File
@@ -64,7 +64,7 @@ atomic_tests:
sudo rm #{script_destination}
sudo rm /private/var/db/emondClients/#{empty_file}
- name: Launch Agent - Root Directory
auto_generated_guid:
auto_generated_guid: 66774fa8-c562-4bae-a58d-5264a0dd9dd7
description: |
Create a plist and execute it
supported_platforms:
atomics/T1543.004/T1543.004.md
+55
View File
@@ -10,6 +10,8 @@ Additionally, system configuration changes (such as the installation of third pa
- [Atomic Test #1 - Launch Daemon](#atomic-test-1---launch-daemon)
- [Atomic Test #2 - Launch Daemon - Users Directory](#atomic-test-2---launch-daemon---users-directory)
<br/>
@@ -63,4 +65,57 @@ echo "The plist file doesn't exist. Check the path and try again."; exit 1;
<br/>
<br/>
## Atomic Test #2 - Launch Daemon - Users Directory
Utilize LaunchDaemon in /Users directory to touch temporary file in /tmp
**Supported Platforms:** macOS
**auto_generated_guid:** 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| plist_filename | filename | string | com.atomicredteam.T1543.004.plist|
| path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist|
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
sudo cp #{path_malicious_plist} ~/Library/LaunchDaemons/#{plist_filename}
sudo launchctl load -w ~/Library/LaunchDaemons/#{plist_filename}
```
#### Cleanup Commands:
```bash
sudo launchctl unload ~/Library/LaunchDaemons/#{plist_filename}
sudo rm ~/Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
```
#### Dependencies: Run with `bash`!
##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist})
##### Check Prereq Commands:
```bash
if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
echo "The plist file doesn't exist. Check the path and try again."; exit 1;
```
<br/>
atomics/T1543.004/T1543.004.yaml
+1 -1
View File
@@ -35,7 +35,7 @@ atomic_tests:
sudo rm /Library/LaunchDaemons/#{plist_filename}
sudo rm /tmp/T1543_004_atomicredteam.txt
- name: Launch Daemon - Users Directory
auto_generated_guid:
auto_generated_guid: 6f899f9d-8a8e-4143-89a5-26fc2c3ec438
description: |
Utilize LaunchDaemon in /Users directory to touch temporary file in /tmp
supported_platforms:
atomics/used_guids.txt
+4
View File
@@ -1628,3 +1628,7 @@ c8d40da9-31bd-47da-a497-11ea55d1ef6c
e5d95be6-02ee-4ff1-aebe-cf86013b6189
332f4c76-7e96-41a6-8cc2-7361c49db8be
08b4718f-a8bf-4bb5-a552-294fc5178fea
66774fa8-c562-4bae-a58d-5264a0dd9dd7
fc369906-90c7-4a15-86fd-d37da624dde6
10cf5bec-49dd-4ebf-8077-8f47e420096f
6f899f9d-8a8e-4143-89a5-26fc2c3ec438