security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-03-07 02:20:46 +00:00
parent e4129551f7
commit 4e9698e67c
5 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1 -1
View File
@@ -399,7 +399,7 @@ defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,8,Sett
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,9,Setting the HISTFILE environment variable (freebsd),f7308845-6da8-468e-99f2-4271f2f5bb67,sh
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,10,Setting the HISTIGNORE environment variable,f12acddb-7502-4ce6-a146-5b62c59592f1,bash
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
399 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 9 Setting the HISTFILE environment variable (freebsd) f7308845-6da8-468e-99f2-4271f2f5bb67 sh
400 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 10 Setting the HISTIGNORE environment variable f12acddb-7502-4ce6-a146-5b62c59592f1 bash
401 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 11 Disable Windows Command Line Auditing using reg.exe 1329d5ab-e10e-4e5e-93d1-4d907eb656e5 command_prompt
402 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 12 Disable Windows Command Line Auditing using Powershell Cmdlet 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa command_prompt powershell
403 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
404 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
405 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1 -1
View File
@@ -267,7 +267,7 @@ defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,4
defense-evasion,T1134.001,Access Token Manipulation: Token Impersonation/Theft,5,Juicy Potato,f095e373-b936-4eb4-8d22-f47ccbfbe64a,powershell
defense-evasion,T1564.002,Hide Artifacts: Hidden Users,3,Create Hidden User in Registry,173126b7-afe4-45eb-8680-fa9f6400431c,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,11,Disable Windows Command Line Auditing using reg.exe,1329d5ab-e10e-4e5e-93d1-4d907eb656e5,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,command_prompt
defense-evasion,T1562.003,Impair Defenses: Impair Command History Logging,12,Disable Windows Command Line Auditing using Powershell Cmdlet,95f5c72f-6dfe-45f3-a8c1-d8faa07176fa,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
defense-evasion,T1134.004,Access Token Manipulation: Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
267 defense-evasion T1134.001 Access Token Manipulation: Token Impersonation/Theft 5 Juicy Potato f095e373-b936-4eb4-8d22-f47ccbfbe64a powershell
268 defense-evasion T1564.002 Hide Artifacts: Hidden Users 3 Create Hidden User in Registry 173126b7-afe4-45eb-8680-fa9f6400431c command_prompt
269 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 11 Disable Windows Command Line Auditing using reg.exe 1329d5ab-e10e-4e5e-93d1-4d907eb656e5 command_prompt
270 defense-evasion T1562.003 Impair Defenses: Impair Command History Logging 12 Disable Windows Command Line Auditing using Powershell Cmdlet 95f5c72f-6dfe-45f3-a8c1-d8faa07176fa command_prompt powershell
271 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 1 Parent PID Spoofing using PowerShell 069258f4-2162-46e9-9a25-c9c6c56150d2 powershell
272 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 2 Parent PID Spoofing - Spawn from Current Process 14920ebd-1d61-491a-85e0-fe98efe37f25 powershell
273 defense-evasion T1134.004 Access Token Manipulation: Parent PID Spoofing 3 Parent PID Spoofing - Spawn from Specified Process cbbff285-9051-444a-9d17-c07cd2d230eb powershell
atomics/Indexes/index.yaml
+1 -1
View File
@@ -18546,7 +18546,7 @@ defense-evasion:
supported_platforms:
- windows
executor:
name: command_prompt
name: powershell
elevation_required: true
command: |
echo "Commencing Attack - Disabling Registry Value"
atomics/Indexes/windows-index.yaml
+1 -1
View File
@@ -15026,7 +15026,7 @@ defense-evasion:
supported_platforms:
- windows
executor:
name: command_prompt
name: powershell
elevation_required: true
command: |
echo "Commencing Attack - Disabling Registry Value"
atomics/T1562.003/T1562.003.md
+3 -3
View File
@@ -500,16 +500,16 @@ https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.managem
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```cmd
```powershell
echo "Commencing Attack - Disabling Registry Value"
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 0 -PropertyType DWORD -Force -ErrorAction Ignore
```
#### Cleanup Commands:
```cmd
```powershell
echo "Commencing Cleanup - Restoring Registry Value"
New-ItemProperty -Path "HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -PropertyType DWORD -Force -ErrorAction Ignore
```