security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-02-26 15:17:23 +00:00
parent 05fc04f419
commit 5aef5da247
9 changed files with 69 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1724,6 +1724,7 @@ discovery,T1049,System Network Connections Discovery,3,"System Network Connectio
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1619,Cloud Storage Object Discovery,1,AWS S3 Enumeration,3c7094f8-71ec-4917-aeb8-a633d7ec4ef5,sh
discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1724 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
1725 discovery T1619 Cloud Storage Object Discovery 1 AWS S3 Enumeration 3c7094f8-71ec-4917-aeb8-a633d7ec4ef5 sh
1726 discovery T1654 Log Enumeration 1 Get-EventLog To Enumerate Windows Security Log a9030b20-dd4b-4405-875e-3462c6078fdc powershell
1727 discovery T1654 Log Enumeration 2 Enumerate Windows Security Log via WevtUtil fef0ace1-3550-4bf1-a075-9fea55a778dd command_prompt
1728 discovery T1057 Process Discovery 1 Process Discovery - ps 4ff64f0b-aaf2-4866-b39d-38d9791407cc sh
1729 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
1730 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -1140,6 +1140,7 @@ discovery,T1049,System Network Connections Discovery,1,System Network Connection
discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell
discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell
discovery,T1654,Log Enumeration,1,Get-EventLog To Enumerate Windows Security Log,a9030b20-dd4b-4405-875e-3462c6078fdc,powershell
discovery,T1654,Log Enumeration,2,Enumerate Windows Security Log via WevtUtil,fef0ace1-3550-4bf1-a075-9fea55a778dd,command_prompt
discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt
discovery,T1057,Process Discovery,3,Process Discovery - Get-Process,3b3809b6-a54b-4f5b-8aff-cb51f2e97b34,powershell
discovery,T1057,Process Discovery,4,Process Discovery - get-wmiObject,b51239b4-0129-474f-a2b4-70f855b9f2c2,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1140 discovery T1049 System Network Connections Discovery 2 System Network Connections Discovery with PowerShell f069f0f1-baad-4831-aa2b-eddac4baac4a powershell
1141 discovery T1049 System Network Connections Discovery 4 System Discovery using SharpView 96f974bb-a0da-4d87-a744-ff33e73367e9 powershell
1142 discovery T1654 Log Enumeration 1 Get-EventLog To Enumerate Windows Security Log a9030b20-dd4b-4405-875e-3462c6078fdc powershell
1143 discovery T1654 Log Enumeration 2 Enumerate Windows Security Log via WevtUtil fef0ace1-3550-4bf1-a075-9fea55a778dd command_prompt
1144 discovery T1057 Process Discovery 2 Process Discovery - tasklist c5806a4f-62b8-4900-980b-c7ec004e9908 command_prompt
1145 discovery T1057 Process Discovery 3 Process Discovery - Get-Process 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34 powershell
1146 discovery T1057 Process Discovery 4 Process Discovery - get-wmiObject b51239b4-0129-474f-a2b4-70f855b9f2c2 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2381,6 +2381,7 @@
- Atomic Test #1: AWS S3 Enumeration [iaas:aws]
- [T1654 Log Enumeration](../../T1654/T1654.md)
- Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
- Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
- T1087.004 Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #1: Process Discovery - ps [linux, macos]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1651,6 +1651,7 @@
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1654 Log Enumeration](../../T1654/T1654.md)
- Atomic Test #1: Get-EventLog To Enumerate Windows Security Log [windows]
- Atomic Test #2: Enumerate Windows Security Log via WevtUtil [windows]
- [T1057 Process Discovery](../../T1057/T1057.md)
- Atomic Test #2: Process Discovery - tasklist [windows]
- Atomic Test #3: Process Discovery - Get-Process [windows]
atomics/Indexes/index.yaml
+14
View File
@@ -97822,6 +97822,20 @@ discovery:
Ignore"
name: powershell
elevation_required: true
- name: Enumerate Windows Security Log via WevtUtil
auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
description: "WevtUtil is a command line tool that can be utilised by adversaries
to gather intelligence on a targeted Windows system's logging infrastructure.
\n\nBy executing this command, malicious actors can enumerate all available
event logs, including both default logs such as Application, Security, and
System\nas well as any custom logs created by administrators. \n\nThis information
provides valuable insight into the system's logging mechanisms, potentially
allowing attackers to identify gaps or weaknesses in the logging configuration"
supported_platforms:
- windows
executor:
command: wevtutil enum-logs
name: command_prompt
T1087.004:
technique:
x_mitre_platforms:
atomics/Indexes/windows-index.yaml
+14
View File
@@ -79723,6 +79723,20 @@ discovery:
Ignore"
name: powershell
elevation_required: true
- name: Enumerate Windows Security Log via WevtUtil
auto_generated_guid: fef0ace1-3550-4bf1-a075-9fea55a778dd
description: "WevtUtil is a command line tool that can be utilised by adversaries
to gather intelligence on a targeted Windows system's logging infrastructure.
\n\nBy executing this command, malicious actors can enumerate all available
event logs, including both default logs such as Application, Security, and
System\nas well as any custom logs created by administrators. \n\nThis information
provides valuable insight into the system's logging mechanisms, potentially
allowing attackers to identify gaps or weaknesses in the logging configuration"
supported_platforms:
- windows
executor:
command: wevtutil enum-logs
name: command_prompt
T1087.004:
technique:
x_mitre_platforms:
atomics/T1654/T1654.md
+35
View File
@@ -10,6 +10,8 @@ Adversaries may also target centralized logging infrastructure such as SIEMs. Lo
- [Atomic Test #1 - Get-EventLog To Enumerate Windows Security Log](#atomic-test-1---get-eventlog-to-enumerate-windows-security-log)
- [Atomic Test #2 - Enumerate Windows Security Log via WevtUtil](#atomic-test-2---enumerate-windows-security-log-via-wevtutil)
<br/>
@@ -47,4 +49,37 @@ powershell -c "remove-item $env:temp\T1654_events.txt -ErrorAction Ignore"
<br/>
<br/>
## Atomic Test #2 - Enumerate Windows Security Log via WevtUtil
WevtUtil is a command line tool that can be utilised by adversaries to gather intelligence on a targeted Windows system's logging infrastructure.
By executing this command, malicious actors can enumerate all available event logs, including both default logs such as Application, Security, and System
as well as any custom logs created by administrators.
This information provides valuable insight into the system's logging mechanisms, potentially allowing attackers to identify gaps or weaknesses in the logging configuration
**Supported Platforms:** Windows
**auto_generated_guid:** fef0ace1-3550-4bf1-a075-9fea55a778dd
#### Attack Commands: Run with `command_prompt`!
```cmd
wevtutil enum-logs
```
<br/>