Generated docs from job=generate-docs branch=master [ci skip]

2024-07-04 17:06:22 +00:00
parent b1292579d2
commit 44de1a8e88
13 changed files with 71 additions and 6 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1584-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1585-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -1486,6 +1486,7 @@ credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local C
 credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
 credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
 credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
+credential-access,T1552,Unsecured Credentials,2,Search for Passwords in Powershell History,f9c3d0ab-479b-4019-945f-22ace2b1731a,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
@@ -985,6 +985,7 @@ credential-access,T1555,Credentials from Password Stores,5,Enumerate credentials
 credential-access,T1555,Credentials from Password Stores,6,WinPwn - Loot local Credentials - lazagne,079ee2e9-6f16-47ca-a635-14efcd994118,powershell
 credential-access,T1555,Credentials from Password Stores,7,WinPwn - Loot local Credentials - Wifi Credentials,afe369c2-b42e-447f-98a3-fb1f4e2b8552,powershell
 credential-access,T1555,Credentials from Password Stores,8,WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords,db965264-3117-4bad-b7b7-2523b7856b92,powershell
+credential-access,T1552,Unsecured Credentials,2,Search for Passwords in Powershell History,f9c3d0ab-479b-4019-945f-22ace2b1731a,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
@@ -2084,6 +2084,7 @@
  - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
 - [T1552 Unsecured Credentials](../../T1552/T1552.md)
  - Atomic Test #1: AWS - Retrieve EC2 Password Data using stratus [linux, macos, iaas:aws]
+  - Atomic Test #2: Search for Passwords in Powershell History [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #1: Run Chrome-password Collector [windows]
@@ -1441,7 +1441,8 @@
  - Atomic Test #6: WinPwn - Loot local Credentials - lazagne [windows]
  - Atomic Test #7: WinPwn - Loot local Credentials - Wifi Credentials [windows]
  - Atomic Test #8: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords [windows]
- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
+- [T1552 Unsecured Credentials](../../T1552/T1552.md)
+  - Atomic Test #2: Search for Passwords in Powershell History [windows]
 - T1556.007 Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1555.003 Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md)
  - Atomic Test #1: Run Chrome-password Collector [windows]
@@ -17,7 +17,7 @@
 | Spearphishing Voice [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: PowerShell](../../T1059.001/T1059.001.md) | [Office Application Startup](../../T1137/T1137.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Abuse Elevation Control Mechanism: Bypass User Account Control](../../T1548.002/T1548.002.md) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | [System Information Discovery](../../T1082/T1082.md) | [Lateral Tool Transfer](../../T1570/T1570.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Web Service: Exfiltration to Cloud Storage](../../T1567.002/T1567.002.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Financial Theft [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Inter-Process Communication](../../T1559/T1559.md) | [Boot or Logon Autostart Execution: Print Processors](../../T1547.012/T1547.012.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Pre-OS Boot: System Firmware](../../T1542.001/T1542.001.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery: Wi-Fi Discovery](../../T1016.002/T1016.002.md) | [Remote Service Session Hijacking: RDP Hijacking](../../T1563.002/T1563.002.md) | [Data from Local System](../../T1005/T1005.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
 | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Application Window Discovery](../../T1010/T1010.md) | [Use Alternate Authentication Material: Pass the Hash](../../T1550.002/T1550.002.md) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
-| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup: Add-ins](../../T1137.006/T1137.006.md) | [Thread Execution Hijacking](../../T1055.003/T1055.003.md) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Remote Services: Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Server Software Component: Transport Agent](../../T1505.002/T1505.002.md) | [Event Triggered Execution: Application Shimming](../../T1546.011/T1546.011.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hybrid Identity [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
 | Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Command and Scripting Interpreter: Windows Command Shell](../../T1059.003/T1059.003.md) | AppDomainManager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Port Monitors](../../T1547.010/T1547.010.md) | [Masquerading: Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) |  | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |  | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
 | [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | [Command and Scripting Interpreter: Visual Basic](../../T1059.005/T1059.005.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Injection](../../T1055/T1055.md) | Masquerade File Type [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) |  | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) |  | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
@@ -89049,6 +89049,20 @@ credential-access:
          rm -rf stratus*
        name: sh
        elevation_required: false
+    - name: Search for Passwords in Powershell History
+      auto_generated_guid: f9c3d0ab-479b-4019-945f-22ace2b1731a
+      description: |
+        Find passwords in the powershell history files
+        Searching for following strings: "password", "-p", "key", "pwd", "pass"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
+          | Select-String "password", "-p", "key", "pwd", "pass"
+
+          '
+        name: powershell
+        elevation_required: true
  T1556.007:
    technique:
      modified: '2022-11-08T14:00:00.188Z'
@@ -73239,7 +73239,21 @@ credential-access:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      spec_version: '2.1'
      identifier: T1552
-    atomic_tests: []
+    atomic_tests:
+    - name: Search for Passwords in Powershell History
+      auto_generated_guid: f9c3d0ab-479b-4019-945f-22ace2b1731a
+      description: |
+        Find passwords in the powershell history files
+        Searching for following strings: "password", "-p", "key", "pwd", "pass"
+      supported_platforms:
+      - windows
+      executor:
+        command: 'ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
+          | Select-String "password", "-p", "key", "pwd", "pass"
+
+          '
+        name: powershell
+        elevation_required: true
  T1556.007:
    technique:
      modified: '2022-11-08T14:00:00.188Z'
@@ -6,6 +6,8 @@

 - [Atomic Test #1 - AWS - Retrieve EC2 Password Data using stratus](#atomic-test-1---aws---retrieve-ec2-password-data-using-stratus)

+- [Atomic Test #2 - Search for Passwords in Powershell History](#atomic-test-2---search-for-passwords-in-powershell-history)
+

 <br/>

@@ -81,4 +83,33 @@ echo Please install the aws-cli and configure your AWS defult profile using: aws



+<br/>
+<br/>
+
+## Atomic Test #2 - Search for Passwords in Powershell History
+Find passwords in the powershell history files
+Searching for following strings: "password", "-p", "key", "pwd", "pass"
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f9c3d0ab-479b-4019-945f-22ace2b1731a
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+ls -R C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt | Select-String "password", "-p", "key", "pwd", "pass"
+```
+
+
+
+
+
+
 <br/>
@@ -56,6 +56,7 @@ atomic_tests:
    name: sh
    elevation_required: false
 - name: Search for Passwords in Powershell History
+  auto_generated_guid: f9c3d0ab-479b-4019-945f-22ace2b1731a
  description: |
    Find passwords in the powershell history files
    Searching for following strings: "password", "-p", "key", "pwd", "pass"
@@ -1622,3 +1622,4 @@ ecbd533e-b45d-4239-aeff-b857c6f6d68b
 7bcf83bf-f5ef-425c-9d9a-71618ad9ed12
 0fd14730-6226-4f5e-8d67-43c65f1be940
 ab3f793f-2dcc-4da5-9c71-34988307263f
+f9c3d0ab-479b-4019-945f-22ace2b1731a