security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-11-05 19:05:50 +00:00
parent 2a7ba54263
commit 6170883105
11 changed files with 91 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1518/T1518.md
+25
View File
@@ -0,0 +1,25 @@
# T1518 - Software Discovery
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1518)
<blockquote>Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Find and Display Iinternet Explorer Browser Version](#atomic-test-1---find-and-display-iinternet-explorer-browser-version)
<br/>
## Atomic Test #1 - Find and Display Iinternet Explorer Browser Version
Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion
```
<br/>
atomics/art_navigator_layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/index.md
+2 -1
View File
@@ -548,7 +548,8 @@
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1518 Software Discovery](./T1518/T1518.md)
- Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [linux, macos]
atomics/index.yaml
+55
View File
@@ -15702,6 +15702,61 @@ discovery:
name: command_prompt
elevation_required: true
command: fltmc.exe | findstr.exe 385201
T1518:
technique:
x_mitre_data_sources:
- Process command-line parameters
- Process monitoring
- File monitoring
x_mitre_permissions_required:
- User
- Administrator
name: Software Discovery
description: Adversaries may attempt to get a listing of non-security related
software that is installed on the system. Adversaries may use the information
from [Software Discovery](https://attack.mitre.org/techniques/T1518) during
automated discovery to shape follow-on behaviors, including whether or not
the adversary fully infects the target and/or attempts specific actions.
id: attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58
x_mitre_platforms:
- Linux
- macOS
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: |-
System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086).
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created: '2019-09-16T17:52:44.147Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: discovery
external_references:
- source_name: mitre-attack
external_id: T1518
url: https://attack.mitre.org/techniques/T1518
modified: '2019-09-27T19:03:39.143Z'
identifier: T1518
atomic_tests:
- name: Find and Display Iinternet Explorer Browser Version
description: 'Adversaries may attempt to get a listing of non-security related
software that is installed on the system. Adversaries may use the information
from Software Discovery during automated discovery to shape follow-on behaviors
'
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer"
/v svcVersion
'
T1082:
technique:
x_mitre_permissions_required:
atomics/linux-index.md
+1 -1
View File
@@ -98,7 +98,7 @@
- [T1018 Remote System Discovery](./T1018/T1018.md)
- Atomic Test #4: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #5: Remote System Discovery - sweep [linux, macos]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1518 Software Discovery](./T1518/T1518.md)
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
atomics/linux-matrix.md
+1 -1
View File
@@ -13,7 +13,7 @@
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Office Application Startup](./T1137/T1137.md) | | [File and Directory Permissions Modification](./T1222/T1222.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | | [Email Collection](./T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [HISTCONTROL](./T1148/T1148.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | [Input Capture](./T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Hidden Files and Directories](./T1158/T1158.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Server Software Component](./T1505/T1505.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Server Software Component](./T1505/T1505.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](./T1518/T1518.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Setuid and Setgid](./T1166/T1166.md) | | [Indicator Removal on Host](./T1070/T1070.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Systemd Service](./T1501/T1501.md) | | [Install Root Certificate](./T1130/T1130.md) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Trap](./T1154/T1154.md) | | [Masquerading](./T1036/T1036.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
atomics/macos-index.md
+1 -1
View File
@@ -112,7 +112,7 @@
- Atomic Test #5: Remote System Discovery - sweep [linux, macos]
- [T1063 Security Software Discovery](./T1063/T1063.md)
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1518 Software Discovery](./T1518/T1518.md)
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #2: System Information Discovery [linux, macos]
- Atomic Test #3: List OS Information [linux, macos]
atomics/macos-matrix.md
+1 -1
View File
@@ -14,7 +14,7 @@
| | [Trap](./T1154/T1154.md) | [Launchctl](./T1152/T1152.md) | [Sudo Caching](./T1206/T1206.md) | [Gatekeeper Bypass](./T1144/T1144.md) | [Private Keys](./T1145/T1145.md) | [Process Discovery](./T1057/T1057.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](./T1148/T1148.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](./T1100/T1100.md) | [Hidden Files and Directories](./T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](./T1063/T1063.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Scripts](./T1037/T1037.md) | | [Hidden Users](./T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Logon Scripts](./T1037/T1037.md) | | [Hidden Users](./T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](./T1518/T1518.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Plist Modification](./T1150/T1150.md) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Information Discovery](./T1082/T1082.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | | [Rc.common](./T1163/T1163.md) | | [Indicator Removal on Host](./T1070/T1070.md) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Remote File Copy](./T1105/T1105.md) |
atomics/matrix.md
+1 -1
View File
@@ -18,7 +18,7 @@
| | [Local Job Scheduling](./T1168/T1168.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | [Keychain](./T1142/T1142.md) | [Query Registry](./T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | Emond [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | [Software Discovery](./T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Plist Modification](./T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
atomics/windows-index.md
+2 -1
View File
@@ -368,7 +368,8 @@
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #4: Security Software Discovery - Sysmon Service [windows]
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1518 Software Discovery](./T1518/T1518.md)
- Atomic Test #1: Find and Display Iinternet Explorer Browser Version [windows]
- [T1082 System Information Discovery](./T1082/T1082.md)
- Atomic Test #1: System Information Discovery [windows]
- [T1016 System Network Configuration Discovery](./T1016/T1016.md)
atomics/windows-matrix.md
+1 -1
View File
@@ -16,7 +16,7 @@
| | [Mshta](./T1170/T1170.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | PowerShell Profile [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |