security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-08-01 16:52:24 +00:00
parent e3b3dc6c03
commit 4e0637e706
6 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1253,6 +1253,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1253 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
1254 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
1255 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
1256 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
1257 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
1258 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
1259 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -909,6 +909,7 @@ command-and-control,T1105,Ingress Tool Transfer,22,Printer Migration Command-Lin
command-and-control,T1105,Ingress Tool Transfer,23,Lolbas replace.exe use to copy file,54782d65-12f0-47a5-b4c1-b70ee23de6df,command_prompt
command-and-control,T1105,Ingress Tool Transfer,24,Lolbas replace.exe use to copy UNC file,ed0335ac-0354-400c-8148-f6151d20035a,command_prompt
command-and-control,T1105,Ingress Tool Transfer,25,certreq download,6fdaae87-c05b-42f8-842e-991a74e8376b,command_prompt
command-and-control,T1105,Ingress Tool Transfer,26,Download a file using wscript,97116a3f-efac-4b26-8336-b9cb18c45188,command_prompt
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
909 command-and-control T1105 Ingress Tool Transfer 23 Lolbas replace.exe use to copy file 54782d65-12f0-47a5-b4c1-b70ee23de6df command_prompt
910 command-and-control T1105 Ingress Tool Transfer 24 Lolbas replace.exe use to copy UNC file ed0335ac-0354-400c-8148-f6151d20035a command_prompt
911 command-and-control T1105 Ingress Tool Transfer 25 certreq download 6fdaae87-c05b-42f8-842e-991a74e8376b command_prompt
912 command-and-control T1105 Ingress Tool Transfer 26 Download a file using wscript 97116a3f-efac-4b26-8336-b9cb18c45188 command_prompt
913 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
914 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
915 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2095,6 +2095,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
- Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1521,6 +1521,7 @@
- Atomic Test #23: Lolbas replace.exe use to copy file [windows]
- Atomic Test #24: Lolbas replace.exe use to copy UNC file [windows]
- Atomic Test #25: certreq download [windows]
- Atomic Test #26: Download a file using wscript [windows]
- T1001.002 Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1008 Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md)
atomics/Indexes/index.yaml
+15
View File
@@ -91410,6 +91410,21 @@ command-and-control:
command: 'certreq.exe -Post -config #{remote_file} c:\windows\win.ini #{local_path}'
cleanup_command: 'del #{local_path} >nul 2>&1'
name: command_prompt
- name: Download a file using wscript
auto_generated_guid: 97116a3f-efac-4b26-8336-b9cb18c45188
description: Use wscript to run a local VisualBasic file to download a remote
file
supported_platforms:
- windows
input_arguments:
vbscript_file:
description: Full path to the VisualBasic downloading the file
type: String
default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
executor:
command: 'wscript.exe #{vbscript_file}'
cleanup_command: del Atomic-License.txt >nul 2>&1
name: command_prompt
T1001.002:
technique:
x_mitre_platforms:
atomics/T1105/T1105.md
+39
View File
@@ -58,6 +58,8 @@ On Windows, adversaries may use various utilities to download tools, such as `co
- [Atomic Test #25 - certreq download](#atomic-test-25---certreq-download)
- [Atomic Test #26 - Download a file using wscript](#atomic-test-26---download-a-file-using-wscript)
<br/>
@@ -1132,4 +1134,41 @@ del #{local_path} >nul 2>&1
<br/>
<br/>
## Atomic Test #26 - Download a file using wscript
Use wscript to run a local VisualBasic file to download a remote file
**Supported Platforms:** Windows
**auto_generated_guid:** 97116a3f-efac-4b26-8336-b9cb18c45188
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| vbscript_file | Full path to the VisualBasic downloading the file | String | PathToAtomicsFolder&#92;T1105&#92;src&#92;T1105-download-file.vbs|
#### Attack Commands: Run with `command_prompt`!
```cmd
wscript.exe #{vbscript_file}
```
#### Cleanup Commands:
```cmd
del Atomic-License.txt >nul 2>&1
```
<br/>