security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-05-20 13:44:04 +00:00
parent 1b2bf832c3
commit 51ce388932
4 changed files with 60 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1 -1
View File
@@ -209,7 +209,7 @@ defense-evasion,T1036,Masquerading,5,Masquerading - powershell.exe running as ta
defense-evasion,T1036,Masquerading,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036,Masquerading,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036,Masquerading,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036,Masquerading,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,powershell
defense-evasion,T1036,Masquerading,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
209 defense-evasion T1036 Masquerading 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
210 defense-evasion T1036 Masquerading 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
211 defense-evasion T1036 Masquerading 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
212 defense-evasion T1036 Masquerading 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc powershell command_prompt
213 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
214 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
215 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1 -1
View File
@@ -75,7 +75,7 @@ defense-evasion,T1036,Masquerading,5,Masquerading - powershell.exe running as ta
defense-evasion,T1036,Masquerading,6,Masquerading - non-windows exe running as windows exe,bc15c13f-d121-4b1f-8c7d-28d95854d086,powershell
defense-evasion,T1036,Masquerading,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell
defense-evasion,T1036,Masquerading,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt
defense-evasion,T1036,Masquerading,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,powershell
defense-evasion,T1036,Masquerading,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt
defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt
defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt
defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
75 defense-evasion T1036 Masquerading 6 Masquerading - non-windows exe running as windows exe bc15c13f-d121-4b1f-8c7d-28d95854d086 powershell
76 defense-evasion T1036 Masquerading 7 Masquerading - windows exe running as different windows exe c3d24a39-2bfe-4c6a-b064-90cd73896cb0 powershell
77 defense-evasion T1036 Masquerading 8 Malicious process Masquerading as LSM.exe 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f command_prompt
78 defense-evasion T1036 Masquerading 9 File Extension Masquerading c7fa0c3b-b57f-4cba-9118-863bf4e653fc powershell command_prompt
79 defense-evasion T1112 Modify Registry 1 Modify Registry of Current User Profile - cmd 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 command_prompt
80 defense-evasion T1112 Modify Registry 2 Modify Registry of Local Machine - cmd 282f929a-6bc5-42b8-bd93-960c3ba35afe command_prompt
81 defense-evasion T1112 Modify Registry 3 Modify registry to store logon credentials c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 command_prompt
atomics/Indexes/index.yaml
+28 -28
View File
@@ -12657,37 +12657,37 @@ defense-evasion:
type: path
default: PathToAtomicsFolder\T1036\src\T1036_masquerading.ps1
executor:
name: powershell
name: command_prompt
elevation_required: false
command: |
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.docx.exe -Force
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.pdf.exe -Force
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.ps1.exe -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xls.vbs -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xlsx.vbs -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.png.vbs -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.vbs.ps1 -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.exe.ps1 -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.js.ps1 -Force
Invoke-Expression $env:TEMP\T1036_masquerading.docx.exe
Invoke-Expression $env:TEMP\T1036_masquerading.pdf.exe
Invoke-Expression $env:TEMP\T1036_masquerading.ps1.exe
Invoke-Expression $env:TEMP\T1036_masquerading.xls.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.xlsx.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.png.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.vbs.ps1
Invoke-Expression $env:TEMP\T1036_masquerading.exe.ps1
Invoke-Expression $env:TEMP\T1036_masquerading.js.ps1
copy #{exe_path} %temp%\T1036_masquerading.docx.exe /Y
copy #{exe_path} %temp%\T1036_masquerading.pdf.exe /Y
copy #{exe_path} %temp%\T1036_masquerading.ps1.exe /Y
copy #{vbs_path} %temp%\T1036_masquerading.xls.vbs /Y
copy #{vbs_path} %temp%\T1036_masquerading.xlsx.vbs /Y
copy #{vbs_path} %temp%\T1036_masquerading.png.vbs /Y
copy #{ps1_path} %temp%\T1036_masquerading.doc.ps1 /Y
copy #{ps1_path} %temp%\T1036_masquerading.pdf.ps1 /Y
copy #{ps1_path} %temp%\T1036_masquerading.rtf.ps1 /Y
%temp%\T1036_masquerading.docx.exe
%temp%\T1036_masquerading.pdf.exe
%temp%\T1036_masquerading.ps1.exe
%temp%\T1036_masquerading.xls.vbs
%temp%\T1036_masquerading.xlsx.vbs
%temp%\T1036_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.rtf.ps1
cleanup_command: |
Remove-Item $env:TEMP\T1036_masquerading.docx.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.pdf.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.ps1.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.xls.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.xlsx.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.png.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.vbs.ps1 -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.exe.ps1 -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.js.ps1 -Force -ErrorAction Ignore | Out-Null
del /f %temp%\T1036_masquerading.docx.exe > nul 2>&1
del /f %temp%\T1036_masquerading.pdf.exe > nul 2>&1
del /f %temp%\T1036_masquerading.ps1.exe > nul 2>&1
del /f %temp%\T1036_masquerading.xls.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.xlsx.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.png.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.doc.ps1 > nul 2>&1
del /f %temp%\T1036_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036_masquerading.rtf.ps1 > nul 2>&1
T1112:
technique:
x_mitre_data_sources:
atomics/T1036/T1036.md
+30 -30
View File
@@ -330,41 +330,41 @@ e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc
| ps1_path | path of powershell script to use when creating masquerading files | path | PathToAtomicsFolder\T1036\src\T1036_masquerading.ps1|
#### Attack Commands: Run with `powershell`!
#### Attack Commands: Run with `command_prompt`!
```powershell
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.docx.exe -Force
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.pdf.exe -Force
Copy-Item #{exe_path} -Destination $env:TEMP\T1036_masquerading.ps1.exe -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xls.vbs -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.xlsx.vbs -Force
Copy-Item #{vbs_path} -Destination $env:TEMP\T1036_masquerading.png.vbs -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.vbs.ps1 -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.exe.ps1 -Force
Copy-Item #{ps1_path} -Destination $env:TEMP\T1036_masquerading.js.ps1 -Force
Invoke-Expression $env:TEMP\T1036_masquerading.docx.exe
Invoke-Expression $env:TEMP\T1036_masquerading.pdf.exe
Invoke-Expression $env:TEMP\T1036_masquerading.ps1.exe
Invoke-Expression $env:TEMP\T1036_masquerading.xls.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.xlsx.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.png.vbs
Invoke-Expression $env:TEMP\T1036_masquerading.vbs.ps1
Invoke-Expression $env:TEMP\T1036_masquerading.exe.ps1
Invoke-Expression $env:TEMP\T1036_masquerading.js.ps1
```cmd
copy #{exe_path} %temp%\T1036_masquerading.docx.exe /Y
copy #{exe_path} %temp%\T1036_masquerading.pdf.exe /Y
copy #{exe_path} %temp%\T1036_masquerading.ps1.exe /Y
copy #{vbs_path} %temp%\T1036_masquerading.xls.vbs /Y
copy #{vbs_path} %temp%\T1036_masquerading.xlsx.vbs /Y
copy #{vbs_path} %temp%\T1036_masquerading.png.vbs /Y
copy #{ps1_path} %temp%\T1036_masquerading.doc.ps1 /Y
copy #{ps1_path} %temp%\T1036_masquerading.pdf.ps1 /Y
copy #{ps1_path} %temp%\T1036_masquerading.rtf.ps1 /Y
%temp%\T1036_masquerading.docx.exe
%temp%\T1036_masquerading.pdf.exe
%temp%\T1036_masquerading.ps1.exe
%temp%\T1036_masquerading.xls.vbs
%temp%\T1036_masquerading.xlsx.vbs
%temp%\T1036_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036_masquerading.rtf.ps1
```
#### Cleanup Commands:
```powershell
Remove-Item $env:TEMP\T1036_masquerading.docx.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.pdf.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.ps1.exe -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.xls.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.xlsx.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.png.vbs -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.vbs.ps1 -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.exe.ps1 -Force -ErrorAction Ignore | Out-Null
Remove-Item $env:TEMP\T1036_masquerading.js.ps1 -Force -ErrorAction Ignore | Out-Null
```cmd
del /f %temp%\T1036_masquerading.docx.exe > nul 2>&1
del /f %temp%\T1036_masquerading.pdf.exe > nul 2>&1
del /f %temp%\T1036_masquerading.ps1.exe > nul 2>&1
del /f %temp%\T1036_masquerading.xls.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.xlsx.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.png.vbs > nul 2>&1
del /f %temp%\T1036_masquerading.doc.ps1 > nul 2>&1
del /f %temp%\T1036_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036_masquerading.rtf.ps1 > nul 2>&1
```