security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-09-21 01:33:57 +00:00
parent 85f82b4a53
commit 5d1eb39ddb
7 changed files with 35 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1 -1
View File
@@ -1206,6 +1206,7 @@ discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password
discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,3,Security Software Discovery - ps (macOS),ba62ce11-e820-485f-9c17-6f3c857cd840,sh
@@ -1312,7 +1313,6 @@ command-and-control,T1105,Ingress Tool Transfer,28,Nimgrab - Transfer Files,b172
command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh
command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh
command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell
reconnaissance,T1592.002,Software,1,Enumerate COM Objects with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt
impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt
impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1206 discovery T1614.001 System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
1207 discovery T1614.001 System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
1208 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
1209 discovery T1012 Query Registry 2 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
1210 discovery T1518.001 Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
1211 discovery T1518.001 Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
1212 discovery T1518.001 Security Software Discovery 3 Security Software Discovery - ps (macOS) ba62ce11-e820-485f-9c17-6f3c857cd840 sh
1313 command-and-control T1090.001 Internal Proxy 1 Connection Proxy 0ac21132-4485-4212-a681-349e8a6637cd sh
1314 command-and-control T1090.001 Internal Proxy 2 Connection Proxy for macOS UI 648d68c1-8bcd-4486-9abe-71c6655b6a2c sh
1315 command-and-control T1090.001 Internal Proxy 3 portproxy reg key b8223ea9-4be2-44a6-b50a-9657a3d4e72a powershell
reconnaissance T1592.002 Software 1 Enumerate COM Objects with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
1316 impact T1489 Service Stop 1 Windows - Stop service using Service Controller 21dfb440-830d-4c86-a3e5-2a491d5a8d04 command_prompt
1317 impact T1489 Service Stop 2 Windows - Stop service using net.exe 41274289-ec9c-4213-bea4-e43c4aa57954 command_prompt
1318 impact T1489 Service Stop 3 Windows - Stop service by killing process f3191b84-c38b-400b-867e-3a217a27795f command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -870,6 +870,7 @@ discovery,T1201,Password Policy Discovery,9,Enumerate Active Directory Password
discovery,T1614.001,System Language Discovery,1,Discover System Language by Registry Query,631d4cf1-42c9-4209-8fe9-6bd4de9421be,command_prompt
discovery,T1614.001,System Language Discovery,2,Discover System Language with chcp,d91473ca-944e-477a-b484-0e80217cd789,command_prompt
discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt
discovery,T1012,Query Registry,2,Enumerate COM Objects in Registry with Powershell,0d80d088-a84c-4353-af1a-fc8b439f1564,powershell
discovery,T1518.001,Security Software Discovery,1,Security Software Discovery,f92a380f-ced9-491f-b338-95a991418ce2,command_prompt
discovery,T1518.001,Security Software Discovery,2,Security Software Discovery - powershell,7f566051-f033-49fb-89de-b6bacab730f0,powershell
discovery,T1518.001,Security Software Discovery,5,Security Software Discovery - Sysmon Service,fe613cf3-8009-4446-9a0f-bc78a15b66c9,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
870 discovery T1614.001 System Language Discovery 1 Discover System Language by Registry Query 631d4cf1-42c9-4209-8fe9-6bd4de9421be command_prompt
871 discovery T1614.001 System Language Discovery 2 Discover System Language with chcp d91473ca-944e-477a-b484-0e80217cd789 command_prompt
872 discovery T1012 Query Registry 1 Query Registry 8f7578c4-9863-4d83-875c-a565573bbdf0 command_prompt
873 discovery T1012 Query Registry 2 Enumerate COM Objects in Registry with Powershell 0d80d088-a84c-4353-af1a-fc8b439f1564 powershell
874 discovery T1518.001 Security Software Discovery 1 Security Software Discovery f92a380f-ced9-491f-b338-95a991418ce2 command_prompt
875 discovery T1518.001 Security Software Discovery 2 Security Software Discovery - powershell 7f566051-f033-49fb-89de-b6bacab730f0 powershell
876 discovery T1518.001 Security Software Discovery 5 Security Software Discovery - Sysmon Service fe613cf3-8009-4446-9a0f-bc78a15b66c9 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+2 -2
View File
@@ -1956,6 +1956,7 @@
- Atomic Test #2: Discover System Language with chcp [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
@@ -2194,8 +2195,7 @@
- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1592.003 Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1592.002 Software](../../T1592.002/T1592.002.md)
- Atomic Test #1: Enumerate COM Objects with Powershell [windows]
- T1592.002 Software [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1593.001 Social Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1589.001 Credentials [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1595.003 Wordlist Scanning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1432,6 +1432,7 @@
- Atomic Test #2: Discover System Language with chcp [windows]
- [T1012 Query Registry](../../T1012/T1012.md)
- Atomic Test #1: Query Registry [windows]
- Atomic Test #2: Enumerate COM Objects in Registry with Powershell [windows]
- T1614 System Location Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1518.001 Security Software Discovery](../../T1518.001/T1518.001.md)
- Atomic Test #1: Security Software Discovery [windows]
atomics/Indexes/index.yaml
+28 -29
View File
@@ -85901,6 +85901,33 @@ discovery:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
name: command_prompt
elevation_required: true
- name: Enumerate COM Objects in Registry with Powershell
auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
description: "This test is designed to enumerate the COM objects listed in HKCR,
then output their methods and CLSIDs to a text file.\nAn adversary could then
use this information to identify COM objects that might be vulnerable to abuse,
such as using them to spawn arbitrary processes. \nSee: https://www.mandiant.com/resources/hunting-com-objects"
supported_platforms:
- windows
input_arguments:
output_file:
description: File to output list of COM objects to
type: String
default: "$env:temp\\T1592.002Test1.txt"
executor:
command: |
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
{try{write-output "$($Position)-$($CLSID)"
write-output "------------"| out-file #{output_file} -append
write-output $($CLSID)| out-file #{output_file} -append
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
$position += 1} catch{}}
cleanup_command: "remove-item #{output_file} -force -erroraction silentlycontinue\nremove-item
$env:temp\\clsids.txt -force -erroraction silentlycontinue \n"
name: powershell
T1614:
technique:
x_mitre_platforms:
@@ -95143,35 +95170,7 @@ reconnaissance:
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_data_sources:
- 'Internet Scan: Response Content'
identifier: T1592.002
atomic_tests:
- name: Enumerate COM Objects with Powershell
auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
description: "This test is designed to enumerate the COM objects listed in HKCR,
then output their methods and CLSIDs to a text file.\nAn adversary could then
use this information to identify COM objects that might be vulnerable to abuse,
such as using them to spawn arbitrary processes. \nSee: https://www.mandiant.com/resources/hunting-com-objects"
supported_platforms:
- windows
input_arguments:
output_file:
description: File to output list of COM objects to
type: String
default: "$env:temp\\T1592.002Test1.txt"
executor:
command: |
New-PSDrive -PSProvider registry -Root HKEY_CLASSES_ROOT -Name HKCR
Get-ChildItem -Path HKCR:\CLSID -Name | Select -Skip 1 > $env:temp\clsids.txt
ForEach($CLSID in Get-Content "$env:temp\clsids.txt")
{try{write-output "$($Position)-$($CLSID)"
write-output "------------"| out-file #{output_file} -append
write-output $($CLSID)| out-file #{output_file} -append
$handle=[activator]::CreateInstance([type]::GetTypeFromCLSID($CLSID))
$handle | get-member -erroraction silentlycontinue | out-file #{output_file} -append
$position += 1} catch{}}
cleanup_command: "remove-item #{output_file} -force -erroraction silentlycontinue\nremove-item
$env:temp\\clsids.txt -force -erroraction silentlycontinue \n"
name: powershell
atomic_tests: []
T1593.001:
technique:
x_mitre_platforms: