security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-07-29 15:14:22 +00:00
parent 5849c1516b
commit 6f92864b88
6 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1290,6 +1290,7 @@ impact,T1529,System Shutdown/Reboot,6,Shutdown System via `halt` - Linux,918f70a
impact,T1529,System Shutdown/Reboot,7,Reboot System via `halt` - Linux,78f92e14-f1e9-4446-b3e9-f1b921f2459e,bash
impact,T1529,System Shutdown/Reboot,8,Shutdown System via `poweroff` - Linux,73a90cd2-48a2-4ac5-8594-2af35fa909fa,bash
impact,T1529,System Shutdown/Reboot,9,Reboot System via `poweroff` - Linux,61303105-ff60-427b-999e-efb90b314e41,bash
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1290 impact T1529 System Shutdown/Reboot 7 Reboot System via `halt` - Linux 78f92e14-f1e9-4446-b3e9-f1b921f2459e bash
1291 impact T1529 System Shutdown/Reboot 8 Shutdown System via `poweroff` - Linux 73a90cd2-48a2-4ac5-8594-2af35fa909fa bash
1292 impact T1529 System Shutdown/Reboot 9 Reboot System via `poweroff` - Linux 61303105-ff60-427b-999e-efb90b314e41 bash
1293 impact T1529 System Shutdown/Reboot 10 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
1294 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
1295 initial-access T1566.001 Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
1296 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -931,6 +931,7 @@ impact,T1490,Inhibit System Recovery,8,Windows - Disable the SR scheduled task,1
impact,T1490,Inhibit System Recovery,9,Disable System Restore Through Registry,66e647d1-8741-4e43-b7c1-334760c2047f,command_prompt
impact,T1529,System Shutdown/Reboot,1,Shutdown System - Windows,ad254fa8-45c0-403b-8c77-e00b3d3e7a64,command_prompt
impact,T1529,System Shutdown/Reboot,2,Restart System - Windows,f4648f0d-bf78-483c-bafc-3ec99cd1c302,command_prompt
impact,T1529,System Shutdown/Reboot,10,Logoff System - Windows,3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4,command_prompt
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
initial-access,T1566.001,Spearphishing Attachment,1,Download Macro-Enabled Phishing Attachment,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
931 impact T1490 Inhibit System Recovery 9 Disable System Restore Through Registry 66e647d1-8741-4e43-b7c1-334760c2047f command_prompt
932 impact T1529 System Shutdown/Reboot 1 Shutdown System - Windows ad254fa8-45c0-403b-8c77-e00b3d3e7a64 command_prompt
933 impact T1529 System Shutdown/Reboot 2 Restart System - Windows f4648f0d-bf78-483c-bafc-3ec99cd1c302 command_prompt
934 impact T1529 System Shutdown/Reboot 10 Logoff System - Windows 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4 command_prompt
935 initial-access T1133 External Remote Services 1 Running Chrome VPN Extensions via the Registry 2 vpn extension 4c8db261-a58b-42a6-a866-0a294deedde4 powershell
936 initial-access T1566.001 Spearphishing Attachment 1 Download Macro-Enabled Phishing Attachment 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
937 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2216,6 +2216,7 @@
- Atomic Test #7: Reboot System via `halt` - Linux [linux]
- Atomic Test #8: Shutdown System via `poweroff` - Linux [linux]
- Atomic Test #9: Reboot System via `poweroff` - Linux [linux]
- Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1583,6 +1583,7 @@
- [T1529 System Shutdown/Reboot](../../T1529/T1529.md)
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #10: Logoff System - Windows [windows]
# initial-access
- [T1133 External Remote Services](../../T1133/T1133.md)
atomics/Indexes/index.yaml
+19
View File
@@ -96626,6 +96626,25 @@ impact:
'
name: bash
elevation_required: true
- name: Logoff System - Windows
auto_generated_guid: 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
description: 'This test performs a Windows system logoff as seen in [dcrat backdoor
capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
'
supported_platforms:
- windows
input_arguments:
timeout:
description: Timeout period before shutdown (seconds)
type: Integer
default: 1
executor:
command: 'shutdown /l /t #{timeout}
'
name: command_prompt
elevation_required: true
initial-access:
T1133:
technique:
atomics/T1529/T1529.md
+35
View File
@@ -24,6 +24,8 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other
- [Atomic Test #9 - Reboot System via `poweroff` - Linux](#atomic-test-9---reboot-system-via-poweroff---linux)
- [Atomic Test #10 - Logoff System - Windows](#atomic-test-10---logoff-system---windows)
<br/>
@@ -296,4 +298,37 @@ poweroff --reboot
<br/>
<br/>
## Atomic Test #10 - Logoff System - Windows
This test performs a Windows system logoff as seen in [dcrat backdoor capabilities](https://www.mandiant.com/resources/analyzing-dark-crystal-rat-backdoor)
**Supported Platforms:** Windows
**auto_generated_guid:** 3d8c25b5-7ff5-4c9d-b21f-85ebd06654a4
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| timeout | Timeout period before shutdown (seconds) | Integer | 1|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
shutdown /l /t #{timeout}
```
<br/>